• Registering a Facebook account
• Confirming an email address in Gmail to activate the registered Facebook account
• Joining random Facebook groups
• Adding Facebook friends
• Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

This component fetches details from one of the botnet’s available proxy domains.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.

For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages:

• http://www.facebook.com/safety
• http://www.facebook.com/security

Post from: TrendLabs | Malware Blog - by Trend Micro

New Koobface Component Imitates Facebook User

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.

Post from: TrendLabs | Malware Blog - by Trend Micro

DOWNAD/Conficker Turns 1yr

Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.

The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

The malware distribution business seems to have gone public. Elite Loader, for instance, was published by well-known Lonely Wolf—one of the moderators of the underground forum, DaMaGeLaB—with detailed instructions in the archive and even dedicated thread posts. This will make it easy even for script kiddies to create their own malicious code.

Trend Micro detects the variants of the Elite Loader dropper as part of the DLOADER family of Trojans so product users need not worry about being infected. Trend Micro Smart Protection Network™ blocks the download of all malicious files and access to malicious URLs related to this bot.

Non-Trend Micro product users who think their systems may have already been infected can clean their PCs using RUBotted.

Post from: TrendLabs | Malware Blog - by Trend Micro

Elite Loader Goes Public

• Weather Report for Halloween: High Chances of a Storm
• “Halloween Costumes” Bring More Fright Than Expected

But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

• 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.

Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.ZeuS/ZBOT

The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

• Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.

• In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
  Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.

Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”

Post from: TrendLabs | Malware Blog - by Trend Micro

Trick or Threat?

The websites for both the CapitalOne and Bank of America phishing attacks are all hosted on fast flux domains, and uses wildcarded subdomains. Here’s a list of some of the domains actually used:

• 11qioz.co.uk
• 11qwod.co.uk
• easder1q.co.uk
• f1iiitl.com
• iiizad1z.co.uk
• ij1tli.com
• ltiil1.com
• nekz1mqv.co.uk
• nezz1cza.co.uk
• racder1c.net
• racder1x.com
• raeder1f.net
• rarder1g.com
• raxsder1.com
• t1fliil.tc
• tj1fiil.co.nz
• uunuyr.com
• yyy1yyrd.co.uk
• yyy1yyre.co.uk
• yyy1yyrf.co.uk
• yyy1yyrg.co.uk
• yyy1yyrj.co.uk
• yyy1yyrk.co.uk
• yyy1yyrl.co.uk
• yyy1yyrm.co.uk
• yyy1yyro.co.uk
• yyy1yyrq.co.uk
• yyy1yyrr.co.uk
• yyy1yyru.co.uk
• yyy1yyrv.co.uk
• yyy1yyrx.co.uk

The IP addresses these fast flux domains point to are comprised of residential broadband IP addresses, suggesting that the machines serving the websites’ contents are hosted on compromised residential PCs. The current spam campaigns (digital certificate lure) and its corresponding websites (fast flux, wildcarded subdomains) share the same characteristics like last year’s SSL Certificate spam campaign. A screenshot of last year’s spam campaign is shown below.

It looks like as though the same group has reemerged using the same tactic they’ve used last year. Maybe last year’s campaign has been successful enough that they’re hoping to duplicate the winning formula in the recent spam wave.

Trend Micro users are now protected from this attack through the Smart Protection Network. Non-users of Trend Micro producs, on the other hand, can opt to stay protected by using the eMail ID and Web Protection Add-On.

Post from: TrendLabs | Malware Blog - by Trend Micro

ZBOT and a CapitalOne Phish

Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.CYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Post from: TrendLabs | Malware Blog - by Trend Micro

Tailor-Made ZBOT Spam Targets Various Companies

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot! 
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware. 
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware. 
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.  
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked. 
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

Post from: TrendLabs | Malware Blog - by Trend Micro

8 Things You Probably Didn’t Know About KOOBFACE

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

Figure 1. Koobface Script

The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).

Post from: TrendLabs | Malware Blog - by Trend Micro

Pick Your Poison: KOOBFACE or FAKEAV?

Figure 1. Infection data by country

The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belongs to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests.

Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information.

Currently, the three most dangerous botnets in relation to information, financial and identity theft are:

• Koobface
• ZeuS/Zbot
• Ilomo/Clampi

Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam.

While there isn’t exactly a 1:1 correlation between the top ten countries with compromised machines and the top spamming countries, some correlation does exist:

Figure 2. Compromised systems by country

Using Koobface as an example of a typical botnet, Trend Micro threat experts have established that about 51,000 compromised machines are currently part of this particular botnet. At any time, Koobface uses 5 or 6 command and control centers (C&C) to control these compromised machines. If one C&C domain is taken down by a particular provider, the Koobface gang simply re-registers the same C&C domains with other providers. Between mid-March 2009 and mid-August Trend Micro researchers recorded around 46 Koobface C&C domains.

In comparison, while studying the Ilomo botnet, 69 C&C domains were identified. However this number is difficult to confirm as new domains are added while others removed daily. In addition, the number of infected machines within the Ilomo botnet cannot be ascertained owing to the structure of the botnet itself.

Trend Micro threat experts are committed to ongoing technical research and analysis. Technical reports of the Koobface and Ilomo botnets have been published and can be found in the research and analysis section of TrendWatch.

Fortunately, new technologies are becoming available to counter these ever growing threats. The Trend Micro Smart Protection Network prevents over 1 billion threats from infecting its customers daily.

Trend Micro uses the power of Smart Protection Network to detect and protect against infections. The Smart Protection Network is made up of 3 core areas: Email Reputation, Web Reputation and File Reputation combined with more traditional endpoint anti-spam and anti-malware protection techniques.

Processing over 5 billion customer queries per day, the Trend Micro Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. By combining in-the-cloud technologies with smaller, lighter-weight clients, users have immediate access to the latest protection.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Internet Infestation, How Bad Is It Really?

Ilomo has also being active for several years now, and like Pushdo has done so without attracting too much unwanted attention from the security industry. Like Pushdo, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4,000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session, transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine like those for ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.

Ilomo ‘s second source of revenue is selling “anonymity as a service.” Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals’ identity this proxy network is very useful for defeating another defense built into many banking sites—namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.

We have only touched on some of the high level details of Ilomo in this article, If you want to look at Ilomo in even more detail (and find out about the technical aspects we did not have time to discuss), check out our white paper:

Analysis of Ilomo/Clampi

Post from: TrendLabs | Malware Blog - by Trend Micro

All Your Info Are Belong to Us

So far, we have seen more than 40 distinct messages spammed to Twitter. Here is a sample of the new Koobface campaign.

The following list the messages we have seen spammed in Twitter.

Congratulations! You are on hidden camera!
Congratulations! You are on news!
Congratulations! You are on TV!
Hey! Are you really in that video?
Hey! Is that really you in that video?
Hey! You are on hidden camera!
Hey! You are on news!
Hey! You are on TV!
Holly shit! Are you really in this video?
Holly shit! You are on hidden camera!
Holly shit! You are on news!
Holly shit! You are on TV!
Nice! Your ass looks awesome on this video!
Nice! Your ass looks great on this video!
Nice! Your body looks awesome on this video!
Nice! Your booty looks awesome on this video!
Nice! Your booty looks great on this video!
Saw that video the other day… Did you really do that?
Saw that video the other day… How could you do something like that?
Saw that video the other day… How could you do such a thing?
Saw that video the other day… Why did you do that?
Saw that video yesterday… Did you really do that?
Saw that video yesterday… How could you do something like that?
Saw that video yesterday… How could you do such a thing?
Saw that video yesterday… Why did you do that?
Sweet! Your ass looks awesome on this video!
Sweet! Your ass looks great on this video!
Sweet! Your body looks great on this video!
Sweet! Your booty looks awesome on this video!
Wow! Are you really in that video?
Wow! Are you really in this video?
Wow! Is that really you in that video?
You were caught on our hidden camera!
You were caught on our secret camera!
You were caught on our stealthy camera!
You were seen on our hidden camera!
You were seen on our secret camera!
You were seen on our stealthy camera!
You were sighted on our hidden camera!
You were sighted on our secret camera!
You were sighted on our stealthy camera!

All of those messages come with a URL pointing to a copycat Facebook website, which will try to install setup.exe—the Koobface malware.

Trend Micro Smart Protection Network blocks the malicious URLs in this attack so that users never get to download the malicious file. The malicious file, nevertheless, is already detected as WORM_KOOBFACE.V.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Ramps Up Its Twitter Campaign

Although not as large and widespread compared to Storm or Waledac during their heydays, Koobface is a revolutionary malware in the sense that it is the first Web 2.0 threat to enjoy continuous success, which is significant in a time when social network sites reign supreme.

This is why we see it as important that we understand this threat, because the computing landscape is evolving and user behavior is changing, and with a malware like Koobface threatening the computing landscape, it is a Trend Micro duty stay on top of these threats.

If you want to know more about Koobface, feel free to read our research here: The Real Face of KOOBFACE.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Real Face of KOOBFACE

In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.

This new command acts as a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.

KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:

• KOOBFACE Increases Twitter Activity
• New KOOBFACE Component: a DNS Changer
• KOOBFACE Tweets
• KOOBFACE Tries CAPTCHA Breaking
• New Variant of KOOBFACE Worm Spreading on Facebook
• Worms Wriggling Their Way Through Facebook

Post from: TrendLabs | Malware Blog - by Trend Micro

New KOOBFACE Upgrade Makes It Takedown-Proof

Just a few hours ago, Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware.

This is in contrast to previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used.

As of writing, there are a couple of hundred Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak.

We advise Twitter users to avoid clicking URLs on tweets, specially if the tweet advertises a home video.

Update 1:

It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend infected user accounts.

Update 2:

Koobface and most of its components can be cleaned by our standalone cleaner Sysclean. You may download Sysclean here.

Post from: TrendLabs | Malware Blog - by Trend Micro

Koobface Increases Twitter Activity

Exactly three months ago, the whole IT sector was waiting with bated breath for April 1. The latest DOWNAD/Conficker variant–WORM_DOWNAD.KK–was poised to strike. We know that on that day, it would attempt to access 500 of 50,000 websites and download new malicious files. This led to fears–somewhat misplaced–that new, possibly damaging payloads could cause severe problems, not just for systems already affected by DOWNAD but the Internet as a whole. Many sectors assumed the worst.

April 1 came and went, and… nothing happened. Several days later, another variant appeared, but without the Internet ending (as some of the worst reporting would have led readers believe) most people believed that DOWNAD, as a major threat, was gone.

While it may no longer be as in the news at it was at its height, DOWNAD didn’t suddenly go away. Recent estimates from the Conficker Working Group place the number of unique IP addresses affected by the top 3 DOWNAD variants at well over 5 million. Even considering the group’s disclaimer of putting the number of actually infected systems at only 25-75% of that number, a minimum of 1.25 million infected systems is nothing to laugh at.

The Trend Micro World Virus Tracking Center (WTC) numbers bear this out as well. Almost 790,000 systems were found to be infected with DOWNAD variants in the first three months of the year. In the three succeeding months, that number was almost 1.9 million. Clearly, DOWNAD did not decide to quietly go away.

In addition, out of the public eye, DOWNAD went off and did something with all those infected systems: it went off and formed its own botnet. This was documented in mid-April by Advanced Threat Researchers Paul Ferguson and Ivan Macalintal. The short version, however, is simpler: DOWNAD was used to create a botnet. These can be used for the usual range of threats: spam, Denial of Service attacks, spreading FAKEAV malware, and so on.

Like it or not, malware threats are part of what users have to deal with day in, day out. Like anything people deal with regularly, people become used to malware threats. What was once noteworthy and unusual becomes dull and ordinary. However, this in fact does not make the threat any less dangerous. If anything, it can be argued that it makes the threat more dangerous, as users are more likely to be caught unaware of a threat that may not be something they’re looking out for.

In a very real way, threats like DOWNAD become part of the background noise that is a part of life on the Internet. While it may be unrealistic to expect individual users to keep in mind all threats, but good computing practices will help immensely. The most important one may be: keep your software up to date. This is particularly true for your operating system–a properly patched system would have been proof against most DOWNAD variants. Trend Micro users would have been protected via the Smart Protection Network, of course, but closing the underlying vulnerability would still have been essential.

The price of using your computer freely in today’s Internet may well be constant and unceasing vigilance.

Post from: TrendLabs | Malware Blog - by Trend Micro

Three Months Later: Where’s DOWNAD?