The estimated number of infected hosts is several millions worldwide, and it is getting worse.
Downadup or Conficker worm designed to call back home, and receive further instructions.
the worm has other names:
Like other worms, the infected machine will scan the network looking for vulnerable machines, but the worm has other ways of propagation, it will scan the company network trying to guess passwords using hundreds of common words, then infect these machines. It will also try to infect your removable USB stick and propagate using the autorun.inf
Once infected, the worm will disable many security services on the victim machine and will block access to some sites such as Microsoft and most Anti-Virus sites.
Obfuscated autorun.ini file analysis:
Mcafee Analysts discovered that the exploit used in this worm was made using Metasploit, which raise a concern about the security tools being used by the bad guys.
In the early releases of the worm, the worm will expose the machine to a fake security software, earning 30$ per sale
The way the worm is calling home is a new technique. by using a complicated algorithm that is changing on daily basis, the worm will generate many possible domain names everyday and will try to connect to. It impossible to shut down all possible domains, because many of them are never registered, this gives the guys who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure manged to play the same game and predict un-registered domain name, and used it to control the worm.
- Patch your systems with MS08-067, the patch was released late October 2008
- Use long difficult passwords
- MS Malicious Software Removal Kit is able to detect and clean the worm
- Disable the autorun feature:
F-Secure disinfection tool:
My blog entry about the early worm:
In-depth analysis on memory injection, and how conflicker is injected into rundll32.dll to bypass the firewall and HIPS.
And here is a tool to detect a list of C&C domain names: