Five Years Old And Still On The Run: DOWNAD
Five years ago, Conficker/DOWNAD was first seen and quickly became notorious due to how quickly it spread and how much damage it caused.
Remarkably, after all that time, it’s still alive. It can still pose a serious problem, as it can propagate to other systems on the same network as an infected machine – a factor that may explain its high rate of infection to this day.
Based on feedback from the Smart Protection Network, DOWNAD has been a leading threat for years. It has been the most prolific threat – as measured by the number of infections seen in the wild – since 2011. It has beat out a wide variety of threats – from crack key generators to ZeroAccess – for this dubious distinction.
It also popularized the use of domain generation algorithms. This technique generates multiple (hundreds, in the case of DOWNAD) domains on a daily basis. It uses these domains to connect to its command-and-control servers. The sheer number of generated domains makes blocking this C&C much more difficult. Since then, it has been adopted by other malware families as well.
In order to propagate across networks, it used a zero-day vulnerability, which was later designated by Microsoft as MS08-67. Despite the availability of a patch, many users remain vulnerable due to negligent patching practices as well as piracy. Pirated versions of Microsoft Windows, are often unable to download and install security patches.
In the long-term, as Windows XP machines are retired due to its end of extended support period next year, DOWNAD is destined to recede into the background. However, some systems may still be at risk. The simplest solution is simple: ensure that the software you ran – particularly your operating system – has the latest security updates. You should also check out our tips on how to see if your system is in fact infected.
We have prepared a full infographic which describes the capabilities, the spread, and the risks of DOWNAD/Conficker.