informa
2 min read
article

Symantec: New Conficker/Downadup Defends Itself Against Defenses

Good news: the Conficker/Downadup worm infection seems to be shrinking. Bad news: the worm-makers have developed a new strategy aimed directly at defeating defenses erected against it.
Good news: the Conficker/Downadup worm infection seems to be shrinking. Bad news: the worm-makers have developed a new strategy aimed directly at defeating defenses erected against it.Symantec security researcher and blogger Peter Coogan points out that the makers of Conficker/Downadup are pushing out new code that targets "antivirus software and security analysis tools with the aim of disabling them."

The new variant, W.32.Downadup.C raises the stakes dramatically in terms of the domain generation algorithm used to create routes by which the malware receives its instructions.

Earlier versions of Conficker/Downadup could generate 250 domains a day; registering those domains and sealing them off was among the chief defenses against the worm.

In addition to targeting anti-malware tools, the new version is capable of generating 50,000 domains a day: far too large a number to make registration/blockage practical. (bMighty asked here last week "Who wants to bet that future worms don't generate thousands of addresses a day, or more?" A week! And not just thousands a day, but tens of thousands.

One of the interesting -- and troubling -- aspects of the variant is that its design is aimed at protecting infected machines rather than spreading itself to new machines. The overall number of infected machines, in fact, appears to be declining as infected machines are cleaned..

But the malware makers' shift to defending the botnet territory they still control is a matter of concern, and a reminder that where this particular botnet is concerned, there are still more than a few (and maybe many more than a few.other shoes waiting to be dropped.