Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

The DownadUp (Conficker) Codex

Created: 31 Mar 2009 • Updated: 31 Mar 2009
Ben Nahorney's picture
+1 1 Vote
Login to vote

How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:

“Yeah, right.”

Then again, I was that kid who solved his Rubik’s Cube with a screwdriver. Downadup isn’t one of those types of threats that lend themselves to an in-a-nutshell summary. It happens to be one of the most complex threats we’ve seen in the history of malicious code. Still, let’s give it another try:

“Downadup is a worm.”

True, but this glosses over so, so much. Third time’s the charm?

“Downadup is a worm that spreads by exploiting a vulnerability without DoSing the network with traffic (as well as removable and network drives, by bruteforcing network shares and utilizing P2P techniques), uses GeoIP data to determine OS language, encrypts its downloads, uses UPnP to get past routers and gateways, generates a list of up to 50,000 domains to query each day, and ends security-related processes on the compromised computer.”

Yeah...better, but while it does cover much, there’s plenty left up to misinterpretation. It’s also the sort of sentence that gives a grammar teacher sleepless nights.

Since its emergence in November 2008, we have published 14 blog entries covering the various aspects of the threat—by far the most entries covering a single topic since we started this blog in 2006. With entire entries dedicated to topics from cryptographic protection to Universal Plug and Play, these entries cover the threat quite well. But 14 entries in-and-of-themselves is a lot of material to dig through in blog format.

To address this issue, we have compiled the entries into one location—what we’re calling The Downadup Codex. We’ve even included a new, as-yet unpublished article discussing the threat’s AutoPlay propagation techniques. The paper as a whole is organized in such a way as to provide a historical context to the threat’s emergence, spread, and current state.

We’re also acutely aware that the final chapter in the Downadup saga has yet to be written, which is why this is listed as Edition 1.0. As we continue to analyze and monitor this threat, there will be further blog entries and research to publish.  In the coming months, we plan to release updated versions as the threat evolves.

The Downadup Codex—think of it as your screwdriver to this Rubik’s Cube of a threat.