W32.Downadup.C Digs in Deeper

March 7, 2009 – 7:46 AM

Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has today resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C.

Our analysis of the sample in question is still ongoing and at an early stage, but our initial findings have already revealed some interesting new attributes for this sample. It does not seem to be using any existing or new means to spread the threat to new machines. It is targeting antivirus software and security analysis tools with the aim of disabling them. Any processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:

•    wireshark
•    unlocker
•    tcpview
•    sysclean
•    scct_
•    regmon
•    procmon
•    procexp
•    ms08-06
•    mrtstub
•    mrt.
•    mbsa.
•    klwk
•    kido
•    kb958
•    kb890
•    hotfix
•    gmer
•    filemon
•    downad
•    confick
•    avenger
•    autoruns

Also, in response to the security industry’s success in cracking the W32.Downadup.B domain-generation algorithm for communicating with the command & control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.

These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation. Also, currently we are not seeing an increase in customer infections for this threat but are keeping a close eye on it.

Symantec is continuing to work with other industry leaders to mitigate the spread and damage caused by W32.Downadup. The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software and patches.

Source:
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249