For the last couple weeks, all’s been pretty quiet on the Downadup/Conficker front. While we’re still performing our ‘daily patrols’ here in Security Response, watching for signs of something new, quiet moments like this give us a chance to reflect on what has come to pass so far.
What we’ve discovered looking back is that there has been some confusion about the different Downadup variants—what each one does and how they interrelate. It’s not surprising, given that a feature present in one version is often absent in another. Some largely stand on their own, some install other risks, and others largely seem to exist in order to update their siblings. Try describing how each works and you’re likely to find yourself reminded of an Abbott and Costello routine.
In order to connect the dots between Downadup variants, we’ve developed a new video that charts the family from the first variant up to today, as well as what behaviors we expect in the future. We focus on how each variant relates to its siblings, painting a clearer Downadup family portrait.
For those of you looking for a quick-and dirty rundown of the video, here’s the timeline summarized:
November 22, 2008: W32.Downadup is released
December 28, 2008: W32.Downadup.B is released
March 4, 2009: W32.Downadup.B downloads W32.Downadup.C
April 1, 2009: W32.Downadup.C begins checking 500 of 50,000 domains
April 7, 2009:
- W32.Downadup.E is seeded into W32.Downadup.C P2P network
- W32.Downadup.E updates W32.Downadup.B
- W32.Downadup.C downloads other risks
Find yourself struggling to keep up with this evolving threat? Try subscribing to some of our Security Response feeds. You have your choice between this blog, our writeups, or even our YouTube channel. We’ll keep a lookout and let you know when something new appears.
Thanks to Eric Chien, Ka Chun Leung, and Sean Kiernan for their help making sense of the alphabet soup that is the Downadup family.