Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Conficker/Downadup Evolves To Defend Itself

Worm develops ability to disable antimalware tools, switch domains more frequently

The enigmatic Conficker worm has evolved, adopting new capabilities that make it more difficult than ever to find and eradicate, security researchers say.

In a blog published late last week, researchers at Symantec said they found "a completely new variant" of Conficker, sometimes called Downadup, that is being pushed out to machines previously infected with earlier versions of the worm.

The new variant, which Symantec calls W32.Downadup.C, appears to have defensive capabilities that weren't present in earlier versions. While it spreads in the same manner, "Conficker.C" can disable some of the tools used to detect and eradicate it, including antivirus and other antimalware detection tools.

W32.Downadup C also can switch domains at a much greater rate, Symantec said. "The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm," the researchers reported. "The new domain generation algorithm also uses one of a possible 116 domain suffixes."

A report from CA about Conficker.C confirms Symantec's findings, although the CA researchers said the jump from 500 to 50,000 domains will not occur until April 1.

The ability to quickly switch domains will make it difficult for Internet security organizations, such as ICANN and OpenDNS, to block the domains used by the worm, industry experts note.

The new variant emerges just as some vendors have come out with tools they say will eradicate the worm. Enigma Software today issued a new, free tool that it says will remove Conficker.A and Conficker.B from infected machines. A spokesman says the company has begun work on the new variant. And BitDefender also is offering a free tool it says will remove all variants of the worm.

Perhaps the most disconcerting aspect of the worm is that although it has reportedly infected hundreds of thousands of machines, it does not, as yet, seem to have a purpose. Although it has been contacting domains and spreading itself through various means, security experts say it has yet to be given a task -- such as distributing spam or launching a DDoS attack -- and researchers are still uncertain as to what it might be used for.

And some experts say there may be other exploits that behave like Conficker/Downadup. "BitDefender Labs has been seeing an increase in worms, like Downadup, that have a built-in mathematical algorithm, generating strings based on the current date," says Vlad Valceanu, BitDefender's senior malware analyst. "The worms then produce a fixed number of domain names on a daily basis and check them for updates. This makes it easy for malware writers and cybercriminals to upgrade a worm or give it a new payload, as they only have to register one of the domains and then upload the files."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.