The DOWNAD/Conficker Jigsaw Puzzle

This blog post puts together Trend Micro’s own DOWNAD research as well as collaborative input from the Conficker Working Group. It includes the collected reports regarding DOWNAD as well as analysis of binaries in one coherent timeline of events to shed some light in the continuing DOWNAD/Conficker Jigsaw Puzzle.
SETTING THE STAGE
The rise of DOWNAD to its current stature could be traced from two of its earlier and probably most infectious variants, detected by Trend Micro as WORM_DOWNAD.A and WORM_DOWNAD.AD.
In a span of just four months (November last year to February this year, where DOWNAD infection counts were at their peak), WORM_DOWNAD.A has infected around 500,000 PCs. WORM_DOWNAD.AD, an improved variant first detected last December, equaled the infection count of the earlier variant in just three months.
These numbers – a little more than a million – are based on Trend Micro’s World Virus Tracking Center (WTC) numbers alone, which scans only infections detected by HouseCall and other Trend Micro products. Total global estimates were believed to have reached as high as nine million in February this year. The DOWNAD infection base, specifically through the AD variant, was thus set.
On March 4, several WORM_DOWNAD.AD infected nodes got an updated variant, which was eventually detected as WORM_DOWNAD.KK. This new DOWNAD is notable for the following functionalities:

The (continue reading...)