New DOWNAD Generates More URLs
Trend Micro detects yet another variant of the infamous DOWNAD family, WORM_DOWNAD.KK. DOWNAD (also known as Conficker) is one of the more destructive outbreak worms in the Web threat era, with numbers matching that of giant botnets Storm and Kraken.
WORM_DOWNAD.KK closely follows the trail of WORM_DOWNAD.A and WORM_DOWNAD.AD (which just late last month was discovered to have updated functionalities). With this new variant, the entire DOWNAD mess is getting a lot uglier.
The two earlier DOWNAD worms, as of this month, have already infected a million PCs based on Trend Micro’s World Virus Tracking Center, which scans only infections detected by HouseCall and other Trend Micro related products. Security researchers estimate the global infection at around nine million PCs.
Among WORM_DOWNAD.KK’s added features include the increased number of generated domains, from the earlier the 250 generated by the earlier variants to 50,000. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet.
Trend Micro Advanced Threats Researcher Paul Ferguson says that blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility of legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities.
Like the other DOWNAD worms, this new variant also blocks access to antivirus-related sites, as well as terminates security tools.
Trend Micro users are already protected by the Smart Protection Network, which blocks WORM_DOWNAD.KK and prevents it from running in systems. Infected systems could be cleaned by following the instructions in this page.