Computers previously hit by the Conficker worm set for second attack

News by Dan Raywood

New versions of the Downadup/Conficker worm have been detected.

New versions of the Downadup/Conficker worm have been detected.


Symantec's Peter Coogan claimed that the worm, which it has named ‘W32.Downadup.C' has been pushed out to systems that are already infected with Downadup and claimed that the most effective step that organisations and end users can take is to ensure that their computers have up-to-date anti-virus software and patches.


Coogan said: “Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines.


“It is targeting anti-virus software and security analysis tools with the aim of disabling them. Any processes found on an infected machine that contain an anti-virus or security analysis tool string are killed.

“Also, in response to the security industry's success in cracking the W32.Downadup.B domain generation algorithm for communicating with the command and control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.”


Meanwhile David Harley, director of malware intelligence at ESET, said: “It appears there are interesting developments in the Conficker/Downadup development front. It seems to have two particularly interesting characteristics: it continues to attempt to disable security software like sysinternals tools and wireshark by killing processes that contain keywords, and the domain name generation algorithm used by the earlier versions, which has been pretty effectively addressed by the industry so far, has been tweaked to generate many more domain names.”


Harley acknowledged Coogan's claims that the Conficker authors are particularly interested in keeping their hold on systems that are already compromised, but that does not mean that other systems will not be targeted.


Harley said: “It does suggest that systems already compromised have by no means been abandoned: furthermore, whatever it is the Conficker gang have been cooking up with a view to making use of those compromised systems is likely to be served up sooner, rather than later.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews