January 19, 2011

Conflicker/Downad became Intense

This worm comes in four ways and attacks in four different ways. Its variants are Worm_Downad.A, Downad.Ad, Downad.KK, Downad.E. This is a worm that will infect through pendrives, as a bundled package with some malicious software.
This gave the worm the reputation of being one of the most notorious malware to ever set foot in the threat landscape. In fact, more than two years after its rise to infamy, its variants continue to infect thousands of unpatched systems worldwide.


Its first iteration was Worm_Downad.A ans has taken the server Service Vulnerability in various Windows OS versions in order to propagate via network shares. It is  infection was characterized by high port 445 traffic upon the successful exploitation of the said vulnerability. Once installed, the worm connected to a certain IP address to download an updated copy of itself.


It was notable because of its propagation technique, which was a three-pronged attack designed to exploit weak company security policies.It checks the vulnerabilities on the system and on the network and also then sends packets to every system on the network. It then drops a copy of itself into the Recycle Bin of all the systems connected to an infected machine’s available removable and network drives. Afterward, it created an obfuscated AUTORUN.INF file on the drives so it could execute whenever a user browses an infected network folder or removable drive. It then enumerated the available servers on a network then, using this information, it gathered a list of user accounts on connected systems. Finally, it ran a dictionary attack against accounts using a predefined password list. If successful, it dropped a copy of itself onto systems and used a scheduled task to execute.


It became well- known for its algorithm that could supposedly allow it to generate a list of 50,000 different domains. Five hundred of these domains would then be randomly selected so they could be contacted by infected systems beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.However with the help of security researchers, ISP domain registers and due to special aid to counter its attack it did not push through.

It raised interest in the security industry because of an untrigger date May 3, 2009 on which it would supposedly stop running, it made use of a random file and service names, deleted the copies and components it dropped afterward on the network, propagated via the Server Service Vulnerability to external IPs if Internet access was available but used local IP addresses if Internet access was not available, opened port 5114 and served as an HTTP server by broadcasting via SSDP requests, and connected to myspace.com, msn.com, ebay.com, cnn.com, and aol.com. It did not leave any trace of itself on the host system. It also tried to access a known WALEDAC domain aka goodnewsdigital.com to download yet another encrypted file named print.exe, which was verified to be a WALEDAC


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More