Editor’s Note: This is the fourth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Back in November 2008, Symantec raised the ThreatCon level in response to a significant increase of exploitation activity of MS08-067, even when other vendors were still downplaying or ignoring this large increase of network attacks. This was just the beginning of W32.Downadup saga.
Downadup wasn’t the first worm exploiting MS08-067, but it clearly had something “special” when compared to its previous competitor threats (see W32.Kernelbot.A and W32.Wecorl). From the programming style, the tricks, and the ideas used in Downadup code, we could easily say that Downadup wasn’t the average threat that we would normally see in the wild. The first variant of the worm was able to infect an estimated 500,000 machines due to an aggressive infection routine and a sophisticated exploitation algorithm, which makes use of geo-location and OS fingerprinting.
However, the first variant of Downadup wasn’t able to achieve the same damages of its successor, mostly due to two reasons: it was able to spread only with one mechanism and it had a single point of failure, which was the data file used to perform geo-location of IP addresses. This file (GeoIP.dat.gz) was freely available on the Web back in November 2008 and was downloaded by the worm directly from the website using a hardcoded URL in its code. At some stage, MaxMind removed this GeoIP file from their website, probably because of the denial-of-service (DoS) effect they would have been experiencing on their servers, which were being contacted by all machines infected by Downadup. This change somehow affected the exploitation abilities of the first variant.
When this happened, Downadup authors had several good reasons to release an updated version of the threat and so they decided to fix the GeoIP file problem and increase the propagation of the worm for the next release. When Downadup.B came out on December 30, 2008, the new variant was able to copy across USB and/or network drives and could also infect machines by brute-forcing user passwords, all of which dramatically increased its ability to spread. In addition, the authors fixed the GeoIP problem from the first variant by inserting the GeoIP file directly into the appended data of the threat file. In fact, Downadup.B samples have almost 75K of extra data tagged onto the end, encrypted with RC4 using a 29-byte key. After decryption, this buffer reveals a RAR archive that contains all of the GeoIP information necessary for the targeted exploitation routine. This data is decrypted and decompressed in memory on-the-fly by the malware, and then re-encrypted to avoid memory forensics.
Another interesting change introduced by authors in the W32.Downaupd.B code is the variation of the pseudo-random domain name generation algorithm. Researchers at Symantec and other security companies were able to reverse-engineer the Downadup code and successfully crack the domain-generation algorithm. It is well known that the worm generates a set of 250 different domains every day; therefore, being able to predict these domains may help in tracking infected computers and also preventing further infections. The authors introduced small changes in the .B variant to produce a slightly different list of pseudo-random domains, most likely to attempt to stymie these reverse-engineering efforts.
The PRNG (*) algorithm relies on a seed value that will be the same across infected systems every day. The seed is generated using a set of 64-bit mathematical operations using both static values and the numeric values of the current year, month, and day. These values are three magic numbers used respectively as multiplier (M), divisor (D), and additive (A) constant. The PRNG routine is a 200-byte piece of code that performs different floating-point operations and uses a second internal multiplier value (M2), which is also hardcoded. What’s changed between the two worm variants are these magic values M, D, A, and M2, while the logic of the PRNG algorithm is exactly the same. What Downadup is doing with these domains is simple: downloading and executing additional malicious content. It’s still a mystery as to what this additional content is, but we are speculating that it is somehow related to eastern European cyber criminals and misleading applications.
A final question that was coming to mind was that seeing as the list of the future domains was publicly disclosed on the Web, why hadn’t any other cyber criminals taken advantage of the predictions? We know that security vendors registered some of these domains for monitoring purposes, so why didn’t some other miscreant try to register one of these domains to push out another Trojan to all machines infected with Downadup? Cyber criminals are not new to these things and it won’t be the first case of stolen botnet. Well, we found a valid explanation for this when we looked into Downadup downloading additional code. As we have said previously, the authors of Downadup are not beginners and they may have the feeling that someone—sooner or later—would break their domain prediction algorithm. So, to avoid losing their botnet, they put a secondary (strong) protection into the threat, which makes it impossible for anyone (other than the original authors) to upload new malicious components onto compromised machines.
Stay tuned. More details about W32.Downadup will follow in the next article of this series. Keep up-to-date with the analysis by subscribing to the Symantec Security Response Blog RSS feed (http://www.symantec.com/xml/rss/srblogs.jsp).
(*) Thanks to the Symantec DeepSight team and to Symantec's Aaron Adams for the superb analysis while reversing the PRNG algorithm.