Last week, F-Secure made quite a few blog posts [ 1 / 2 / 3 / 4 ] describing a new worm that seems to be spreading like wild-fire. Called Downadup by some and Conficker by others, the worm appears to spread, primarily, by exploiting the semi-recent Windows Server Service vulnerability (LiveSecurity Subscription required), which Microsoft patched last October. Previous worms have taken advantage of this popular vulnerability, but haven't achieved the success that F-Secure claims Downadup has.
According to F-Secure's last count, Downadup has infected almost nine million individual victims within four days, claiming that the virulent worm infected 1.1 million new casualties in only one day.
Once Downadup infects you, the worm does a number of things. First, it adds itself to certain Windows registry keys to ensure it can restart the next time you reboot. Next, it tries to connect to one of many potential malicious web domains in order to download more malware. The worm generates malicious domain names using a complex algorithm that changes daily and relies on the timestamp found at various public web sites. So far, no one has officially described the malware that Downadup installs. However, I wouldn't be surprised to find it installs a bot client in hopes of creating the next big botnet.
Downadup also starts a malicious web server on your computer. It then scans your local network for other computers vulnerable to the Server Service vulnerability, or for computers with weak Windows credentials, exploiting these weaknesses to infect new victims via its malicious web server. Finally, the worm appears to copy itself and an autorun file to USB devices it detects, hoping to spread when users plug these devices into other computers.
Despite F-Secure's analysis of Downadup's success, I'm not yet convinced that the worm is really as virulent as it seems. By default, even the most basic firewall blocks the ports necessary for Downadup to spread (TCP port 139 and 445). I can't imagine the worm getting very much traction scanning the Internet for these ports. That said… if the worm snuck into your network through other means, and you haven't applied Microsoft's October patches, it would spread within your network very quickly.
This brings us to Downadup's other means of infection - weak Windows credentials and USB devices. Weak Windows credentials, like Server Service vulnerability, require access to those same Windows networking ports to use the Windows credentials. I've already established that most firewalls block these ports by default. Finally, I simply can't imagine a worm infecting almost nine million users by piggy-backing on USB devices. Do people really share USB devices often enough for a worm to spread that successfully through them? I don’t think so.
I’m not the only one that thinks F-Secure may have overstated their warnings about Downadup. Both Mcafee and Symantec, two of the largest antivirus (AV) companies in the industry, rate this new worm as a low to very low risk. My guess is that F-Secure either flubbed their infection calculations or Downadup uses other unreported means of propagation (such as drive-by downloads or malicious emails).
Whether or not Downadup has really spread as widely as F-Secure suggests is negligible - it's still an infection you don't want to contract. Most AV companies already have signatures that detect and block this worm. Make sure your AV software is up-to-date, use a firewall, and make sure it doesn't allow access to the Windows networking ports (TCP port 139 and 445). If you already have a UTM appliance from WatchGuard, you're already fairly safe from an external Downadup attack.
Corey Nachreiner, CISSP and Senior Network Security Analyst, is a computer security geek! He has ten years professional experience in the security industry, but first started exploring hacking when BBSs were still popular. When not uncovering the next big network threat, Corey tinkers with high tech gadgets, plays video games, and enjoys family life.
Scott Pinzon, CISSP and Information Security Analyst, has nearly 20 years of experience explaining high-tech products for clients both large (Weyerhaeuser IT) and small (Seattle's first cash machine network). He is the host of the network security podcast,
2 comments:
Over at the New York Times, the reliably hysterical John Markoff quotes an expert comparing Downadup to "digital Pearl Harbor." Pure blarney.
Downadup also tries to block its victim's online access to Microsoft's Malicious Software Removal Tool, F-Secure AV, and so on. If you're a victim, you can beat Downadup's blockage by using those sites' IP address instead of common URL name. Isn't that ironic? Malware authors used to employ the same technique to obfuscate URLs in their emails. Now the tables have turn, and we're using it to escape from Downadup.
Yeah, using the illegitimately blocked sites' IP address is a good idea if you need to download a removal tool from an AV company after getting blocked.
However, there are a few other ways you could regain access to those blocked sites, depending on how the worm blocks them. Many worms just add entries to your Windows hosts file under c:\windows\system32\driver\etc\hosts. If that is the case, you can just open the hosts file with a text editor, and get rid of these malicious entries.
However, smarter worms use more advanced techniques (hooking the Windows API). In these cases, it might be a little harder to bypass. However, I think booting into windows safe-mode with networking might get you past this technique.
Finally, there is another way you could use a "hacker" like tool to beat these guys at their own game... Hackers often use external web proxies to bypass any sort of web content-filtering opposed upon them. You could probably use a web proxy to get past these blocked IPs.
Post a Comment