Much has been said about the DOWNAD worm (a.k.a. Conficker) and its enigmatic payload that will supposedly be unleashed on April 1st. There are two days to go until the moment of truth and the hype isn’t expected to die down. But online threat history tells us that trigger/activation dates of equally hyped malware have come and gone without much fanfare. Whether or not April 1 will play out to be D-Day indeed, the security industry will be keeping an eye out for any malicious activity—like it should.

What we do know at this point is that the latest variant, which we detect as WORM_DOWNAD.KK (first detected on March 4, 2009), includes an algorithm to generate a list of 50,000 different domains. Five hundred (500) of these will be randomly selected to be contacted by infected PCs beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.

Figure 1. Routines that WORM_DOWNAD.KK will start performing beginning 1 April 2009

Trend Micro is part of the Conficker Working Group, also called the Conficker Cabal. As part of this group, we must continue to set straight misconceptions surrounding DOWNAD/Conficker and what it’s set to do on the anticipated date. Allow us to reiterate some facts:

Q: What will happen on April 1, 2009?
A: Based on our collective technical analysis, we’ve determined that systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. We have
not identified any other actions scheduled to take place on April 1, 2009.

Q: Will an updated version of Conficker go out to already-infected systems on April 1?
A: It is possible that systems with the latest version of Conficker will be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could
be updated on any date before or after April 1 as well using the “peer- to-peer” updating channel in the latest version of Conficker.

Q: Should the general public be alarmed? Why or why not?
A: No, the general public should not be alarmed. Most home users have been protected by Microsoft Security Update MS08-067 being applied automatically.

Q: Are there any other changes in the latest version of Conficker?
A: The latest version of Conficker also introduces a new “peer-to-peer” (P2P) updating capability. This capability could enable a system infected by the latest version of Conficker to receive a new version or
new instructions by contacting another system infected by Conficker rather than by contacting a domain determined by the domain generation algorithm.

Q: We hear talk of an impending second phase of attacks from Conficker. What do you anticipate happening next?
A: There may be a second phase of the threat at some point in time. However, we believe that with a situation like this—which has similarly taken place many times in the past—and given the tremendous
amount of attention that this worm has received, as well as industry and law enforcement monitoring, these efforts will be a deterrent to a large second wave of attacks. At the end of the day, we can’t
speculate on the intentions of criminals, but what we can do is work to limit the impact of any second phase.

Q: Why does Conficker continue to spread even though Microsoft issued the update in October?
A: There is always some percentage of customers who don’t apply an update at any given time, due to a variety of reasons. While most home users have been protected by the patch being applied automatically, once the worm gets a foothold inside an enterprise, it’s difficult to remove and this is where people are having problems.

Q: Why is Conficker using domain names? Is this a new trend?
A: It is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend.

Q: What is the Conficker Working Group doing about this new algorithm?
A: The Conficker Working Group has been working continuously to block access to domains that systems infected by Conficker attempt to contact. We are continuing this work and have expanded this effort to include those domains that will be contacted by the latest version of Conficker starting on April 1, 2009.

Q: What should people who are worried about April 1 and Conficker do?
A: We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest signatures.

We recommend that enterprises continue to focus on the guidance from experts in industry, academia and governments worldwide and continue to deploy the security update MS08-067, ensure their security software have the latest signatures, clean any systems that are infected with any version of Conficker using the tools and guidance we’ve provided, and evaluate additional security best practices in accordance with their organizations’ policies and procedures.

Update as of March 31, 2009 8:30 AM, PST:
Aside from the threat itself, cybercriminals are also leveraging on infected users’ attempts to clean their machines by poisoning searches related to DOWNAD’s removal. Trend Micro Solutions Architect Rik Ferguson reported that searches for strings like nmap conficker and remove conficker generate malicious links. Connecting to these links result to the download of malicious files related to fake AV. The said files are now detected by Trend Micro as TROJ_DLOADER.CXV, TROJ_FAKEAV.AVS, and TROJ_FAKEALER.ES.

Update as of March 31, 2009 4:00 PM, PST:
Trend Micro researchers have found a way for users to be able to reach the domains blocked by DOWNAD, especially the security-related ones. This prevention from accessing certain websites is done by cybercriminals through poisoning the DNS cache or modifying the system’s HOSTS file. In order to restore access to sites rendered inaccessible by malware, the user needs to stop the client-side DNS cache service through the procedure given below. Please refer to this page for more details.

1. Click Start and then Run. (If Run is not in the menu, Right click Start, then choose Properties. Hit Customise, then click on Advanced. Scroll down in the Start Menu Items until you see the check box for Run Command, check the corresponding box then click OK.
   

2. Now click the Start button again and choose Run. In the Run window, type CMD then click OK.
   

3. In the command prompt that appears, type net stop dnscache then press Enter. Exit the command prompt by typing exit then pressing Enter.
   

4. Again, click Start then Run. This time, type services.msc in the window then hit OK.
5. In the listed services, search for DNS Client then check its status. If it states Started or Automatic, double click on it.
   

6. Click the Stop button in the Service status portion.
   

Malware targeting machines running on Mac OS are quickly becoming quite common, with new variants appearing on a seemingly monthly basis. Just last week, our friends at Intego reported of new variant of the RSPLUG Trojan in the wild.

Taking its cue from the routines of the first RSPLUG malware, this latest incarnation no longer limits itself to porn sites. It has been determined to be hosted in several websites linked to one another, offering keygens, cracks, and serial numbers for Mac applications.

Detected by Trend Micro as OSX_RSPLUG.B, this malware arrives on an affected system as a downloaded file from the Web and uses the file name serial_Avid.Xpress.Pro.5.7.2.dmg. And like the earlier variant, it also causes the affected system to redirect to a malicious URL by modifying the system’s network settings.

Worthy of note is its similarity to last month’s Mac Trojan, detected as OSX_KROWI.A, that piggybacked on pirated versions of Apple iWorks 2009 and Adobe Photoshop for Mac. Both incidents appear to ride on the ease-of-use and predictability of software installation on Macs – an apparently successful social engineering ruse.

Perpetrators of these malware continue to circumvent stumbling blocks in directly infecting Macs by tapping into the weakness and gullibility of users downloading and installing pirated software. Trend Micro reiterates its advice to users to use legitimate software only to avoid brushes with these types of security concerns. The Smart Protection Network already detects OSX_RSPLUG.B and provides solutions for its cleanup and removal.

The Trend Micro Content Security team discovered spoofed email messages that pretend to be from Delta Airlines. The fake email message contains a confirmation numbers of supposed ticket purchase and a ZIP file. Recipients are told that this said file contains details on the travel itinerary.

Here’s a screenshot of a spammed message:

Figure 1. Sample spam.

The ZIP file is, of course, a malicious file detected by Trend Micro as TROJ_DELF.PSZ.

Figure 2. Malicious file.

The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats.

This would not be the first time cybercriminals used airline tickets as bait. A fake American Airlines website was used for phishing late last year. The fact that airline tickets are relatively inexpensive now could also be a factor in the proliferation of these types of threats. Users may think they’re having a free vacation but in fact their PCs are already being infected with malware.

The Trend Micro Smart Protection Network already blocks TROJ_DELF.PSZ and provides solutions for its cleanup and removal.

The misuse of legitimate services continue as after recent reports of cybercriminals exploitng the redirecting service TinyURL to slip past spam filters, legitimate e-card services are now being used.

We have received email samples that arrive as ecards with the subject header “Regards From Secret Admirer”. The greeting cards were from Regards.com, the web’s largest collection of free greeting cards. The email claims to be sent by a user under the alias, “Secret Admirer” as read in the email.

Figure 1. Legitimate email messages from Regards.com

The email is indeed a legitimate greeting card. When the user clicks on the link provided in the email, they will be redirected to a legitimate Regards.com site. However, it is on this website that the spammer puts his message.

Figure 2. Spam cloaked in an e-card’s clothing

This seemingly innocent secret admirer turns out to be an advertiser for an adult dating site, which is also legitimate. This said adult website has already addressed the problem by informing redirected users that it has removed from their systems the affiliate responsible for the spamming.

This threat may not be a massive spamming operation. Regards.com allows the sending of cards to multiple recipients, but that could only produce extremely limited spammed messages compared to the volume of mails from automated spamming tools. Still, what’s notable here is that spammers were able to mask their operation using legitimate websites, a model that could be used in the future for more damaging cybercriminal threats.

The spammed messages are already blocked by the Trend Micro Smart Protection Network.

How much is your data worth? A great deal, perhaps, for most of us. Naturally, cybercriminals keep coming up with new ways to exploit this. The new attack? Taking a page out of offline criminal syndicates, now your data is being held for ransom–literally.

This latest bit of malware, detected by Trend Micro as TROJ_FAKEALE.BG, is yet another variant of the notorious fake antivirus malware that has been the rage in recent months. It arrives as a utility that claims to have found corrupted files on the affected system. To recover the files, you need to download the paid version of the program–which will then proceed to recover the said files.

The Trojan uses the following interface:

Figure 1. TROJ_FAKEALE.BG interface.

In reality, however, it was the malware itself that encrypted the corrupted files. In this case, everything in the user’s My Documents folder is encrypted, thus preventing users from accessing the folder’s contents. The paid version of the program fixes the problem that this malware created, but only after the user has been forced to part with his money – a whopping $50.

The Trend Micro Smart Protection Network already detects this malicious software and provides solutions for cleanup and removal.