The W32.Downadup.A worm was the first worm discovered in the wild that was successfully leveraging MS08-067 in a widespread fashion. Symantec carried out an in-depth analysis of this threat and discovered that infected hosts will generate 250 pseudo-random domain addresses each day, in preparation of attempting to contact them later on to download and execute an update binary.
This is an interesting and increasingly popular technique that malicious code authors have been deploying. It allows them to more easily evade domain and server takedowns, because until they choose to register a domain associated with a given day, the security industry is unable to know for sure which domain will be used and therefore has little to target. Fortunately, by reverse engineering the domain-generation algorithms, we are able to proactively identify and blacklist the domains.
What’s also interesting about this method of obtaining binary updates is that it does allow for the number of infections to be approximated by monitoring contact attempts against generated domains. By pre-calculating and registering future domains, the Symantec Intelligence Analysis Team was able to observe contact attempts made by numerous infections. Over the course of a week, we observed over three million unique IP addresses attempting to obtain a download file from our server. However, we believe that the number of infections is higher than this estimate due to multiple internal infections that may be using network address translation (NAT) behind a single external IP address. Also, it’s possible that an infected computer does not contact all 250 generated domains each day. If this latter possibility is the case, then we may only be seeing a subset of the actual total number of infected computers in this bot network.
For instance, we have been able to show that multiple infections are coming from a single IP address by identifying unique user-agent strings coming from the same IP. The following graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs:
While on the topic of user-agents, when contacting one of the generated domains to obtain a binary, an infected computer sends a specific user-agent string as part of the HTTP request. User-agent strings contain version information about the associated operating system (OS) and Web browser, and can be used to collect interesting statistics. For example, Windows XP SP1 can be identified by a user-agent containing Windows NT 5.1. Systems running Windows XP SP2 and later can be identified by Windows NT 5.1; SV1. By analyzing the user-agent strings associated with each unique request, we are able to approximate the distribution of infected operating system types. The following graphic shows the OS distribution observed over a 72-hour period:
As can be seen, the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares.
We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It’s not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers.