There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A‘s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

• One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware’s purposes, the file is executed.
• The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

Fortunately for Trend Micro users, Smart Protection Network has been protecting their computers early on since Trend Micro also detects this malware as WORM_DOWNAD.AD. Infected users should read and follow the instructions at the solution page for this malware here. We also provide a fixtool which can likewise help non-Trend Micro users.

Conficker/DOWNAD entries here:

• The Mess That Is Worm Downad
• Security Policy for Dummies – how to avoid WORM_DOWNAD infection
• Security in Recession
• DOWNAD Gearing up for a Botnet