A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.

“We continue to see infection rates at a very high level, especially for the A and B variants [of Conficker],” says Andre DiMino, director of the Shadowserver Foundation, which tracks Conficker infections for the Conficker Working Group. “We’ve done a good job at getting a grasp on Conficker itself and its architecture, and have also had great response from groups within the Conficker Working Group. Now we just need to be a little more aggressive in remediation and with more awareness to really make a concerted effort to get this thing cleaned up.”

What concerns security researchers is that despite all of the resources and attention being poured into eradicating Conficker — Microsoft even offers a $250,000 bounty to catch the people behind the worm — infections just keep coming worldwide. “It continues to be a giant engine idling, and we wait and see what they’re going to do with it,” DiMino says.

DiMino worries that all of the hype surrounding the April Fool’s Day Conficker event that never was lulled users into a false sense of security that they are immune to Conficker, and that it’s considered old hat now compared with other threats.

But no current threats exist with the volume of infections Conficker has amassed, according to Shadowserver’s calculations. Even as it experienced a typical slight weekend dip, Conficker was still at 5.5 million infected IP addresses as of yesterday for A and B variants, down from 6 million on Friday. Shadowserver’s data shows most of the infected machines in Brazil and China, with Vietnam not far behind.

Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug, which can allow remote code execution via a rogue RPC request handled by Microsoft Windows Server Service. Microsoft researchers presented that and other data at the Virus Bulletin conference in Geneva last week.

Security experts say Conficker’s sheer size has a lot to do with how difficult it is to fully remove it from an infected machine. Mikko Hypponen, chief research officer F-Secure, says many of the infected machines are ones that were reinfected with Conficker.

“It sets very tricky ACL rights to files and registry keys it creates,” Hypponen says. “Removing it manually is almost impossible. And making [Conficker removal] tools available took much longer than with any other worm, as this one was so complicated.” Marcus Sachs, director of the SANS Internet Storm Center, says Conficker is able to snap up so many victims because such a large attack surface of machines on the Internet aren’t properly patched. “It is highly likely that many machines that were previously infected, then cleaned, got reinfected due to users either not finishing the cleaning by applying the patches [closing the hole that allowed the infection in the first place], which then leads to a subsequent reinfection, or by accidentally uninstalling the patch or update that closed the hole,” Sachs says. “But there are hundreds of millions of computers on the Internet. That is a large attack surface, and it’s possible that Conficker can still claim millions more victims just due to user carelessness.”

F-Secure and Microsoft are among the security vendors that offer Conficker removal tools. Hypponen says most of the infected machines are from Brazil, China, Vietnam, Russia, Indonesia, India, the Philippines, Thailand, South Korea, and Ukraine. “The USA is at the bottom of the list. Conficker is not a major problem in the U.S. or Europe anymore,” he says.

Although the numbers aren’t broken down by consumers versus businesses, most security experts say Conficker is mainly a consumer and small to midsize business problem, especially among SMBs in developing nations. According to recent data from Damballa, Conficker is no longer one of the top 10 botnets infecting enterprises.

The C variant of Conficker is decreasing, while infection rates of the A and B version are on the rise, according to F-Secure’s Hypponen.

“[Conficker] will never stop spreading. There are tons of computers out there that can still get infected. Users just don’t get it. And there’s just so much a single working group can do,” he says. “Still, I do think the Conficker Working Group is the best example of cross-industry cooperation I’ve seen in my 19-year career in this field.”

No one knows for sure what Conficker’s operators plan to do with the botnet. And researchers won’t comment on any clues or information they have gathered on the bad guys behind it. “The malware writers were obviously professionals. Conficker’s main goal is to spread to as many machines as possible and eventually build a network of computers, which they can use to install other malware through an update mechanism,” Microsoft researcher wrote in their paper for the Virus Bulletin conference.

Shadowserver’s DiMino says it’s hard to tell whether the same gang behind Conficker is still pulling the strings, or whether it has “co-opted” with another group. “Are we at a high-noon standoff with the Conficker guys right now? It’s hard to say. But potential for harm is great, and that’s why we have to try to stay in lock-step with them,” he says.

So far, Conficker hasn’t been used for large DDoS botnets as was once feared, SANS ISC’s Sachs says. “It might be an out-of-control experiment, it might be a test to see how well the responders respond, or it might be the seeds of a future attack that we have not thought of yet,” Sachs says. “Only time will tell.”

April 1 came and went, and… nothing happened. Several days later, another variant appeared, but without the Internet ending (as some of the worst reporting would have led readers believe) most people believed that DOWNAD, as a major threat, was gone.

While it may no longer be as in the news at it was at its height, DOWNAD didn’t suddenly go away. Recent estimates from the Conficker Working Group place the number of unique IP addresses affected by the top 3 DOWNAD variants at well over 5 million. Even considering the group’s disclaimer of putting the number of actually infected systems at only 25-75% of that number, a minimum of 1.25 million infected systems is nothing to laugh at.

The Trend Micro World Virus Tracking Center (WTC) numbers bear this out as well. Almost 790,000 systems were found to be infected with DOWNAD variants in the first three months of the year. In the three succeeding months, that number was almost 1.9 million. Clearly, DOWNAD did not decide to quietly go away.

In addition, out of the public eye, DOWNAD went off and did something with all those infected systems: it went off and formed its own botnet. This was documentedin mid-April by Advanced Threat Researchers Paul Ferguson and Ivan Macalintal. The short version, however, is simpler: DOWNAD was used to create a botnet. These can be used for the usual range of threats: spam, Denial of Service attacks, spreading FAKEAV malware, and so on.

Like it or not, malware threats are part of what users have to deal with day in, day out. Like anything people deal with regularly, people become used to malware threats. What was once noteworthy and unusual becomes dull and ordinary. However, this in fact doesnotmake the threat any less dangerous. If anything, it can be argued that it makes the threat more dangerous, as users are more likely to be caught unaware of a threat that may not be something they’re looking out for.

In a very real way, threats like DOWNAD become part of the background noise that is a part of life on the Internet. While it may be unrealistic to expect individual users to keep in mind all threats, but good computing practices will help immensely. The most important one may be: keep your software up to date. This is particularly true for your operating system–a properly patched system would have been proof against most DOWNAD variants. Trend Micro users would have been protected via the Smart Protection Network, of course, but closing the underlying vulnerability would still have been essential.

The price of using your computer freely in today’s Internet may well be constant and unceasing vigilance.

On non-Home versions of Windows (for example, Windows XP Professional, Vista Ultimate): 

1. Click Start, click Run, enter gpedit.msc (launch Group Policy Editor); 
2. XP users: Open Computer Configuration | Administrative Templates | System, 
Vista users: Open Computer Configuration | Windows Components | AutoPlay Policies; 
3. Find Turn Off AutoPlay in the right-hand pane and double-click it; 
4. Choose Enabled and set it for All drives.

Or, in any Windows version:

1. Launch the Registry editor (Start | Run | regedit); 
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\ 
CurrentVersion\Policies\Explorer; 
3. Double-click NoDriveTypeAutoRun in the right-hand pane and set its value to hexadecimal FF.

Good Luck and be sure to try this out if you browse the internet a good bit and also use your flash drive with your computer and others! If you have any questions or comments on how to do this feel free to leave a comment and I will be glad to help any way I can in getting you all setup!

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called “honeypot” machines deliberately seeded with Conficker C. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate. In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

“The Conficker/Downad P2P communications is now running in full swing,” wrote Ivan Macalintal from Trend Research on the company’s security blog. Once it arrives on a machine, the package of data randomly checks one of five different websites – MySpace, MSN, eBay, CNN and AOL – to ensure its host still has net access and to confirm the current time and date. Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a “rootkit” that will bury itself deep in Windows in order to steal saleable data such as bank website login details. Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely. The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.

“Think of it as an updated module that’s more aggressive, more robust in defending itself,” Weafer says.

The W32 Downadup.C variant was discovered Friday in a Symantec honeypot and is still under investigation. Symantec expects to identify additional capabilities shortly, says Weafer, who adds that Symantec has not yet seen W32.Downadup.C in customer networks directly. Earlier versions of Downadup did attempt to disable anti-virus software, but the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods.

“It’s more aggressive, it has more services,” says Weafer.

So this is just another good reason to keep your Windows computer up-to-date with all the latest updates and to have good anti-virus software running at all times. Also remember to just use some common sense when browsing the internet as thats where the majority of these types of infections come from (along with emails) because people don’t pay attention when they are browsing around different websites.

Lastly, if you are in need of some good anti-virus software but seem to be somewhat short on cash… you should probably check out these two awesome (and free) anti-virus programs: AVG Free & Avast Free!