Downadup delivers on April Fool's Day

The Downadup/Conficker worm version C is due to deliver its next payload on 1st April - April Fool's Day - and its got security professionals worried

Tags: Symantec Corporation
  • E-Mail
By  Mark Sutton Published  March 26, 2009

The Downadup/Conficker worm version C is due to deliver its next payload on 1st April - April Fool's Day - and its got security professionals worried.

The latest version, which emerged earlier this month has yet to reveal its true purpose. Researchers know that it is scheduled to download a new update from its mystery controllers on 1st April, but they don't know what happens after that. Symantec's Eric Chien wrote that the company doesn't know if Downadup will be  "one big April Fool's joke, or the equivalent of a cyber Pearl Harbor".

Downadup has certainly baffled the security industry. Estimates vary, but around three million computers running Windows OS are believed to have been infected by the worm since it first emerged in October last year. The problem is, unlike usual malware that may set up a bot net or go for a quick theft of data, Downadup keeps on changing.

The initial variant was intended to spread a rogue anti-virus/ anti-spyware  program - the sort of scam that tells you you have a virus on your PC, but you can get rid of it by downloading such-and-such antivirus for just $20. The unsuspecting user hands over the $20 to the hacker or an affiliate , and gets their credit card details harvested to boot. This was the original purpose of Downadup A, which was meant to deliver a rogue anti-spyware on 1st December 2008, except the security industry says it managed to block it.

The worm was already fairly unusual in the way it used an algorithm to disguise the address that it would connect back to deliver its payload or be activated, which had piqued the interest of security researchers. From then on though, the worm got even more interesting.

The second variant, B, took greater steps to hide the control sites, and like A, seemed to designed to spread itself as much as possible.  Then at the start of this month, the third version appeared, and changed tactics. Rather than create new infections, the C variant looks to be trying to hide itself, and protect against removal, by doing things like disabling anti-virus software. The writers seem determined that whatever the payload, they aim to see it activated on 1st April.

Downadup is a fascinating illustration of the difficulties and complexities of the cat and mouse games involved in security research today. Chien thinks it most likely that the payload will be more rogue anti-spyware looking to fleece the unsuspecting - not exactly a web apocalypse, and hopefully given enough publicity, people will be wise to it come April Fool's day. (In fact, if you were looking for a day to pull off a scam, April Fool's would seem to be a non-starter, given that many people will be on the look out for tricks and hoaxes that day)

It seems to me that whoever wrote the virus is most likely looking for a pay-day rather than notoriety. We are told that more and more criminal gangs are involved in cyber crime, and the initial purpose of Downadup A was to steal money. With the huge publicity around Downadup - including an outright challenge from the security industry and a $250,000 reward from Microsoft - you might have expected these criminals to simply slip back into the shadows and look for another target instead. Not this time though - the efforts to keep the Downadup worm alive suggests its writers didn't want to see their hard work go to waste, even at the risk of exposure or a reduced pay out, and that they are ready to accept the challenge laid down by the security industry. It looks like the criminals and the security industry are set for a show down, with April Fool's Day as high noon.

More information on downadup/conficker from Symantec here.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code