Downadup: Geo-location, Fingerprinting, and Piracy
Editor's Note: This is another installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Downadup has been the most prolific worm that we have seen for some time. While as a part of this series we are documenting some of the more interesting technical sides of this threat, other non-technical aspects of this threat also present noteworthy issues. The map below shows the top 10 countries rated by infection prevalence:
Figure 1. Top 10 countries ranked by W32.Downadup infections
(Source: Symantec Corporation)
As shown in figure 1, China has almost three times as many infections as the second most infected country, Argentina. Even more notably, some of the nations with higher computer usage such as the United States or Korea are trailing considerably. So, what is causing this skew?
Downadup uses an RPC (remote procedure call) exploit as its main vector for propagation. This exploit is only effective against machines that have not applied the MS08-067 patch. In addition, the ability to exploit the vulnerability effectively requires knowledge of the operating system (OS) version (for example, Windows XP vs. Windows 2003) and language of the targeted machine. The below figure is a snippet of a larger list in Downadup of configuration values needed for different versions and languages:
Figure 2. Downadup configuration values: snapshot
First, to attempt to determine which version of Windows the remote host is running, Downadup fingerprints the remote host by sending an SMB Session Setup Request. The remote machine provides the OS version and service pack as part of its response. For example, the figure below shows a remote host responding with Windows 2000 as its OS version:
Figure 3. W32.Downadup remote host response
The second and more difficult step is determining the remote machine's language version. Downadup guesses at the language version by using IP geo-location. Recent versions of Downadup contain RC4 encrypted IP geo-location information. By looking up the remote machine's IP address in the geo-location information, Downadup is able to match the IP address to a country and then maps that country to a particular language. Downadup's geo-location data appears more effective for certain countries such as China and Argentina.
It should be noted that these techniques are far from 100% reliable and in some cases cannot even be utilized (for instance, private IP addresses in a NAT setup). In these cases, Downadup guesses at the version of the remote host and uses a set of defaults for the language, except for Chinese and Brazilian Portuguese. If the existing host is Chinese or Brazilian Portuguese, Downadup will assume the remote host is Chinese or Brazilian Portuguese. This likely provides increased efficacy in countries such as China and Brazil.
A second possible explanation for the skew is that on October 20, 2008, Microsoft rolled out an updated Windows Genuine Advantage (WGA) system to help combat the high rate of piracy of its Windows platform. One of the side effects of this policy is that people using illegal copies of Windows will be more likely to disable automatic updates from Microsoft. The fear is that a subsequent update may adversely affect their experience with Windows in a similar way the "black screen" that affected many users in China operating illegal copies of Windows. Without automatic updates, it is highly unlikely that many of these users are manually installing critical updates such as MS08-067.
The following graph shows the rate of software piracy in 2006:
Figure 4. Software piracy in selected countries, by percentage (2006)
What is interesting about the data shown in figure 4 is that China, India, and Russia all have a high percentage of pirated software in use and these countries also feature in the top 10 countries ranked by W32.Downadup infections, as shown in figure 1 above. The lack of patching due to piracy may be a contributory factor to high infection rates in those countries. People with illegal copies of Windows who choose to disable automatic updates can create an ideal breeding ground for malicious code authors to proliferate their wares.
So, the bottom line is that while Downadup has been highlighted in the press due to extremely high infection numbers, not all countries are affected equally. Some residents of certain countries may be wondering what all the hype is about, while others can't understand why they haven't heard more about it.
Keep an eye out for the third installment of this blog series on W32.Downadup. We'll be posting it on the Security Response Blog in the next couple of days.