As regular readers of the Symantec Security Response Blog know, we’ve been monitoring W32.Downadup statistics for some time. We’ve previously published two blog entries regarding infection statistics for both the .A and .B variants. The Symantec Intelligence Analysis Team has been monitoring infections since mid-December. We recommend that readers familiarize themselves with the information in the previous blogs, as well as the Symantec Security Response writeups for the worm, before reading the rest of this article.
W32.Downadup.A writeup
W32.Downadup.B writeup
W32.Downadup is an extremely interesting piece of malicious code and one of the most prolific worms we’ve seen in years. This is largely attributed to the fact that it is capable of trivially exploiting users who are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.
The Symantec Intelligence Analysis Team has recently begun monitoring W32.Downadup.B infections using the same method used to monitor W32.Downadup.A. Basically, both worms use custom date-based algorithms to generate 250 domain names per day. These domains are then contacted by each infection in an attempt to obtain an update binary. By reverse engineering the algorithms and generating tools to mimic the domain generation routine, we are able to predict domains that will be contacted by infected systems on future dates. We take advantage of this knowledge by preemptively registering domains that will be queried in the future and on the associated day, logging all of the results.
The logs can then be used to tell us a number of interesting things. The string below is an example of what one of the log entries looks like:
x.x.x.x [16/Jan/2009:09:45:09 -0700] "GET /search?q=0 HTTP/1.0" 404 282 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
First, we get the connecting IP. This could be an externally facing infected system or an Internet gateway used by multiple systems using network address translation (NAT). Access to the IP addresses allows us to roughly approximate (although conservatively) the number of infections and also geographically map out infection density. For instance, the following image illustrates the top 10 countries by W32.Downadup.A infection count:
The IP data shows us that China and Argentina are by far the most infected areas. Both East Asia and South America are the main areas of infection. In total we’ve observed over three million unique IP addresses infected with W32.Downadup.A.
The logs also tell us other valuable information. In our previous blog entry, we showed the operating system distribution of infected systems. These can be obtained using the User-Agent string sent to the server when querying for the update. The User-Agents also allow us to more accurately approximate the total number of infections. By creating unique pairs of IP addresses and User-Agent strings, we can identify additional systems that are using NAT behind a gateway. This still does not give us the total picture; however, it does reveal a significant number of additional infections. For instance, as mentioned previously, we observed three million unique IPs, but we also observed 3.7 million unique IP / User-Agent pairs.
There is one more piece of interesting information that can be obtained from the logs. That’s the infection count reported by the infected system, using the q= parameter. The value used to populate this field is updated by the infected and attacking system every time an incoming connection is made to the infected system over HTTP for downloading a copy of the W32.Downadup binary. Connections are triggered through successful exploitation of the MS08-067 vulnerability.
The q= value is most interesting to us for the purposes of identifying aggressive and potentially longer term infections. The former allows us to identify possibly large and vulnerable internal networks. The latter allows us to speculate (although tentatively) on possible infection starting points. Originally we believed that this field may be valuable for calculating total infection counts, however we believe that this is inaccurate and our reasoning for this be will explained shortly.
Of the approximately three million W32.Downadup.A infections observed, we chose to map out those that appeared to be very successful in their exploitation efforts. We isolated all infected systems that reported a total number of successful attacks greater than 10,000. This allowed us to isolate just over 1,100 infected systems. Most ranged between 10,000 and 50,000 reported attacks. Two systems, located in Argentina, reported over 100,000 successful attacks. The following map shows geographic density of the infections reporting these attacks:
The map shows that Chile and Argentina have the highest density of infections, reporting high quantities of attacks. This corresponds to the previously shown image of top infection areas, with Argentina in second place and Chile in sixth. Although we can't say conclusively, the higher infection counts of these systems may be indicative of the longevity of infection and could therefore be an indicator as to the starting point of infection. There is no real way to know for sure at the moment, but it is an interesting possibility nonetheless.
As noted earlier, we feel that using the q= parameter to approximate a total infection count is inaccurate. It does indicate the total number of successful exploitation attempts and subsequent malware uploads; however, this may in fact not be an indicator of successful infection. Consider, for instance, a system that has antivirus software running with up-to-date definitions, but is not patched against the MS08-067 vulnerability. An infected system could successfully exploit this host and upload a copy of the worm; however, due to the antivirus technology on the system this would not represent an infection. Now, given the system was not infected and therefore did not have the vulnerable code hot-patched (a feature of the worm), it is still open to attack by other infected systems. As such, a single vulnerable system with up-to-date antivirus could result in many infections misreporting their infection count. Then, realistically assume that numerous systems on the net are vulnerable to MS08-067 but may be impervious to infection and you start to see a large amount of skewing.
As further consideration, take the previous example of aggressive infections. We observed approximately 1,100 systems contacting our server, which reported over 10,000 infections (in fact many were 200-500% more than this). If these numbers were to be believed, these 1,100 systems would be responsible for 11 million infections. If we were to accumulate the observed q= values for all 3.7 million uniquely identifiable W32.Downadup.A infections we’ve observed, we feel that this value would be extremely large and would likely be very inaccurate.
The last major point of interest related to the statistics we’ve collected are the W32.Downadup.B numbers. We recently began monitoring these infections and used a list of 600,000 unique IP addresses known to be infected with this variant. We compared these IP addresses with the 3 million unique W32.Downadup.A IPs and came up with a surprising result. Only approximately 68,000 IPs are duplicates. First of all, this tells us that W32.Downadup.A infected systems were not used to seed the W32.Downadup.B binary. It would seem that the pseudo-random domain-based update mechanism has not yet been utilized. Second, it tells us that, given the large number of systems already infected with the .B variant, it is likely seeing large success over the new propagation vector that involves brute-forcing file shares. Because W32.Downadup.A will patch the system against further exploitation of MS08-067, it makes sense that there would not be as much cross-over of IP addresses.
Some of the cross-over can be written off as systems that were infected with W32.Downadup.A having been disinfected. Others may be that a system infected with W32.Downadup.A, which is no longer vulnerable to the MS08-067 vector, may still be vulnerable to file share brute-forcing. Additionally, some of the cross-over is likely coming from systems being infected through USB key transfer (another propagation vector leveraged by the .B variant) that are behind a shared gateway, and thus the same IP address, as systems infected with the .A variant.
We’re continuing to collect and analyze data related to infections, documenting how this worm family evolves, and watching to see if the domain-base update mechanism used. This is by far one of the most prolific worms in many years and has an extremely large infection base that could do a lot of damage.
Message Edited by Trevor Mack on 01-30-2009 12:40 PM