'The Conficker threat has become one of the most wide-spread threats to hit the Internet for many years.
Although it contained few previously unseen features, what set it apart was the sheer number of tricks it held up its sleeve.
Yet its continued propagation is largely the result of organisations who are not updating their security patches to tackle the evolving threat landscape.
Despite hopes in early-May that a "self-destruct" instruction contained in the latest Conficker variant would chime the death toll for this nasty threat, it is still very much alive and kicking.
W32.Downadup (also called Conficker) first appeared in November 2008, exploiting a vulnerability in Windows.
This was soon followed by W32.Downadup.B, an advanced variant containing a peer-to-peer (P2P) updating mechanism, allowing one infected computer to update another.
In March W32.Downadup.C began to appear on previously infected computers.
Then on April 1 it began generating 50,000 domain names a day and the malicious code hosted by infected computers "checked" up to 500 of these for updates that would allow the worm to perform further malicious activity.
However, the true purpose of W32.Downadup.C only became clear on April 8, 2009 when a new variant emerged - W32.Downadup.E.
The purpose of this variant is to install W32.Downadup.C on vulnerable systems. While W32.Downadup.E will be removed after 3rd May, W32.Downadup.C will not.
To detail the propagation of the Downadup variants, Symantec has charted the family from the first variant up to today, as well as the behaviours we expect from this threat in the future, in this video:
http://www.youtube.com/watch?v=r2h6w61-c74
The exploitation of the Microsoft vulnerability was by far the strongest propagation technique that Downadup used to enter a network.
However, it is telling that the worm appeared nearly a month after Microsoft had released a critical patch for this vulnerability.
In most IT environments, this should be plenty of time to test and roll out a patch.
Properly administrating removable and network drives is also important.
Downadup used the Microsoft vulnerability to enter a network and, once inside, found success with other propagation techniques.
All it takes is one vulnerable computer exploited to gain access to the network.
To better protect their systems from this threat, organisations should ensure they are using the latest security software; computers and servers should be updated with security patches as soon as they are released; IT assets should be monitored for signs of malicious activity; and security postures should be regularly reviewed.
With these measures in place, businesses will be in a better position to protect against this threat.
The key element in protecting any network from exploitative threats is proactive patch testing and implementation.
The disabling of AutoPlay and enforcement of strong network passwords for shares provide the final one-two punches that render a threat like Downadup inert.
As is the case with all threats in today's landscape, a well-managed network is a safer network.
For more information about Downadup and details about how to manage and eliminate this threat, Symantec has produced the Downadup Codex: The Downadup Codex, Edition 2.0
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
