Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A‘s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

    This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

    • One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware’s purposes, the file is executed.
    • The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

    Fortunately for Trend Micro users, Smart Protection Network has been protecting their computers early on since Trend Micro also detects this malware as WORM_DOWNAD.AD. Infected users should read and follow the instructions at the solution page for this malware here. We also provide a fixtool which can likewise help non-Trend Micro users.

    Conficker/DOWNAD entries here:

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice