This computer worm turns
Malicious Downadup worm opts for high penetration over stealth
- By William Jackson
- Jan 20, 2009
The country is starting a new era today with the swearing in of Barack Obama as the 44th president, but in cybersecurity we might be going back to the bad old days.
Hackers are using social engineering tied to the Obama inauguration to recycle the W32.waledac worm, which showed up last year for the holiday season. But a bigger threat might be the W32.Downadup worm, which could be building a large botnet of compromised computers.
Security analysts tracking the latest high-profile worm to stalk the Internet say that W32.Downadup exploits a known vulnerability for which Microsoft issued an out-of-cycle patch in October. Despite the availability of the patch and of antivirus signatures, Symantec called the worm one of the most prolific seen in years and has clocked at least 3 million unique IP addresses infected.
“It is reminiscent of worms released several years ago,” said Ben Greenbaum, senior research manager of Symantec. “Most of the threats found today are intended to be more stealthy.”
W32.Downadup now comes in two versions, .A and .B. The original .A exploits the MS08-067 vulnerability primarily in Windows XP Service Pack 2 and Windows 2003 Service Pack 1 operating systems, for which Microsoft issued an unusual patch outside of its regular monthly patching cycle. The more recent .B variant has added password guessing and the ability to copy itself to USB drives to its bag of exploits, giving it a wider dissemination. The authors appear to be trying to gather all of the low-hanging fruit they can at the risk of being noticed, rather than quietly infecting machines to build a botnet under the radar, Greenbaum said.
“There was at some point a business decision made by the authors,” to go quickly rather than low-and-slow, he said. “The success of the Storm botnet,” which has persisted despite its high profile, “might have been a factor.”
So far the infected computers do not appear to have been put to work as a botnet.
The worm uses an algorithm to generate a pseudo-random list of domains for its command and control network, which its infected clients check daily for instructions. Because a command and control server is a weak spot whose elimination can disable a botnet, this could make Downadup more difficult to attack. But analysts have used this tool against the worm, reverse engineering the algorithm to identify the daily command domains and observing traffic to those domains to gather information about its activities.
Although this is a good tool for intelligence gathering, it probably is impractical as a defense against malicious activity if the botnet is put into service, Greenbaum said.
“A user or admin could make use of this in a limited fashion, but not trivially,” he said. “The routine can be mimicked and the resultant list of domains (250 per day) could be added to a block list. These domains could be pre-calculated in advance for as long as the admin wanted, but would very quickly add up, eating up admin time and slowing down software performance on edge devices.”
Where Downadup originated is not clear, Greenbaum said, but the areas of highest infection are in East Asia, where China accounts for nearly 29 percent of infections and Taiwan nearly 7 percent; and South America, where Argentina accounts for more than 11 percent and Brazil more than 6 percent of infections. Because home PCs are more likely to have automatic updates enabled for patching, the original .A variant of the worm has gotten better traction in enterprise networks where patching is more complicated and often less timely.
For those of you keeping track of inaugural activities online today, beware of being suckered into visiting a malicious Web site by W32.waledac. Symantec Security Response has seen a resurgence of this worm using classic social engineering techniques to get users to click on hyperlinks in e-mails that lead to another site filled with malicious links.
“Although W32.waledac is not a high-risk threat, users may be quick to click on a link to get to the fake breaking news, forgetting about potential hazards,” Symantec warned in a bulletin. “Late last year, this same piece of malicious software was used as part of Christmas-related threats.”
William Jackson is a Maryland-based freelance writer.