All around the world, April 1st has already passed. The DOWNAD/Conficker April 1st hype has kept most, if not all, of us in the security industry and in the Conficker Working Group busy in the past few weeks. The day may have ended quietly, but follow-up question still linger as a new day begins:
Q: Did anything happen?
A: There has been no significant developments or updates in the DOWNAD/Conficker botnet. At least not yet. There is still the expected accessing of websites during the time check routines of DOWNAD malware, as well as the expected P2P chatter/traffic between peers. These routines, however, were already seen happening even before April 1st. As of this writing, there are no new binaries, no new malicious domains, and no new payloads.
Our engineers observed some instances of DOWNAD seemingly changing its network behavior, but this appears planned and not intended to be an attack. This behavior underlines the theory by security researchers that the creators of this botnet have shown themselves to be determined, slow, and measured in how they introduce changes into the botnet infrastructure.
Q: Did the Conficker Working Group succeed in its endeavors?
A: Yes. The group did a phenomenal job in getting the engagement of various security researchers, Internet service providers, domain name registries, as well as members of the the academe, law enforcement agencies, and other cross-industry stakeholders.
But the battle is not yet over. The DOWNAD network is a very capable platform. We need to remain vigilant in monitoring this botnet. A code change could easily change the balance of power.
Q: What do you think will the DOWNAD authors do next after April 1st?
A: There is evidence that the botnet is evolving from an HTTP-based infrastructure into one using a complex Peer-to-peer (P2P) Command and Control communications model. The latter is slower but harder to track, detect, decode, or interrupt. Researchers believe that the operators of the DOWNAD botnet will begin some form of campaign designed to generate income.
Analysis by security engineers reveal that the P2P channel is as of the moment being used to transmit replacement code modules.
Q: There were reports that a couple of high-profile organizations were seriously affected by the April 1st DOWNAD/Conficker activation date. There were reports as well of a confession from the DOWNAD/Conficker worm author himself. Are these reports accurate?
A: Both untrue. These would be April Fool’s jokes. More information on this page:
Q: Do we stop worrying after April 1?
A: April 1st is an activation date in one milestone of the evolution of the DOWNAD/Conficker botnet. To ensure that we are not caught off-guard, monitoring and investigations will be ongoing. Web users likewise need to be aware of the threat and to make sure that they have all the necessary solutions in place to protect their PCs.
Trend Micro’s DOWNAD/Conficker landing page with links to solutions could be accessed using this link:
The main support portal, meanwhile, is on this page:
One prominent routine of DOWNAD worms is blocking user access to certain websites. Infected sysems can reach these domains (usually security-related sites) initially blocked by DOWNAD by following the steps provided on this page: