Editor’s note: This is the first article in a multi-part series on specific and interesting aspects of W32.Downadup.
While many researchers, including us, are speculating on the magnitude of infections from Downadup (a.k.a. Conficker), we are also all waiting for the other shoe to drop. At this point, Downadup has replicated to potentially millions of machines but there has been no additional payload—yet. Ten years ago, just replicating was enough motivation in creating malicious code, while today the vast majority of malware has a monetary motivation. Based on previous variants and characteristics of the code, we believe the worm is associated with a well known malware gang that has previously distributed a variety of adware, and more recently misleading applications (a.k.a. rogue antispyware products).
The worm actually has two mechanisms to receive additional payload files. One has been reported on widely, in which a list of domain names is generated every day and contacted for updates. Eventually, one of these domains is likely to be registered by the malicious code authors where they will host the additional payload file. However, security vendors such as Symantec are also watching these domains, which make them less than ideal for the malware authors, especially if they are quickly shut down.
So, another mechanism exists to distribute the payload files and it is more difficult to track and equally more difficult to shut down. The worm uses a (potentially inefficient) peer-to-peer (P2P) mechanism that allows it to share files between infections.
During the process shown above, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode. If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine. This "back connect" uses the HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files.
Downadup can transfer multiple payload files using this mechanism. Each is possibly encrypted (or at least digitally signed) and contains a header containing a file identifier and a date timestamp. The file identifier allows the worm to check if it already knows about this file and determine if it needs to be updated. The date timestamp is used as an expiration date and if the file is past its expiration date, it is discarded. The payload files are continually reviewed and those that are past their expiration are culled. These payload files are then saved in the registry and provided when other peers request them and allows the payload files to be maintained across reboots.
These payload files can then either be saved to disk and executed or loaded directly to memory. Thus, additional payload files can end up being executed with no files hitting the disk.
So, while we know Downadup’s method of operation, we still await its motive.