DOWNAD , also known as Conficker remains to be one of the top 3 malware that affects enterprises and small and medium businesses. This is attributed to the fact that a number of companies are still using Windows XP, susceptible to this threat.
It can infect an entire network via a malicious URL, spam email, and removable drives. It is known to exploit MS08-067 Server service vulnerability in order to execute arbitrary codes. In addition, DOWNAD has its own domain generation algorithm that allows it to create randomly-generated URLs. It then connects to these created URLs to download files on the system.
During our monitoring of the spam landscape, we observed that in Q2, more than 40% of malware related spam mails are delivered by machines infected by DOWNAD worm. Spam campaigns delivering FAREIT , MYTOB , and LOVGATE payload in email attachments are attributed to DOWNAD infected machines. FAREIT is a malware family of information stealers which download ZBOT . On the other hand, MYTOB is an old family of worms known for sending a copy of itself in spam attachments.
Table 1. Spam sending malware
Based on this data, CUTWAIL (Pushdo) botnet together with Gameover ZeuS (GoZ) are the other top sources of spam with malware. Interestingly, CUTWAIL was previously used to download GoZ malware. However, now UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality.
In the last few weeks we have reported various spam runs that abused Dropbox links to host malware like NECURS and UPATRE. We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA. Cybercriminals and threat actors are probably abusing file storage platforms so as to mask their malicious activities and go undetected in the system and network.
As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favored infection vector of cyberciminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing Antispam filters.
Although majority of the above campaigns are delivered by the popular GoZ, it is important to note that around 175 IPs are found to be related with DOWNAD worm. These IPs use various ports and are randomly generated via the DGA capability of DOWNAD. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems. And with Microsoft ending the support for Windows XP this year, we can expect that systems with this OS can be infected by threats like DOWNAD.
Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious files and spam emails and blocks all related IPs. Users are also advised to upgrade their Windows OS and be cautious in opening email messages even though the source is seemingly legitimate.
With additional insights from Maydalene Salvador