Sometime between March 4 and March 6, 2009, the authors of the Downadup worm pushed out a significant update to a portion of the Downadup network. Symantec Security Response engineers captured the update in one of their honeypots and quickly responded with definitions to protect against the threat. The history of this threat is quite interesting. Initially, the sole purpose of the worm was propagation, but it has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer (P2P) protocol. The following table is a brief summary of the evolution of this threat:
One interesting aspect of W32.Downadup.C is the omission of a propagation routine; this coincided with public reports of a decrease in TCP port 445 activity as of March 5, 2009. The decrease in TCP port 445 activity would be expected, since W32.Downadup.A and W32.Downadup.B both had aggressive propagation routines, and W32.Downadup.C does not. The Symantec DeepSight Threat Management System observed this decrease in activity (as illustrated in figure 1, below).
Figure 1. Dip in activity observed over TCP port 445, possibly related to the update of the Downadup network with W32.Downadup.C.
The other significant aspect of W32.Downadup.C is the addition of a robust P2P update mechanism. The P2P functionality allows the author to distribute cryptographically signed updates to other computers infected with Downadup. This P2P functionality contains a UDP P2P discovery routine that sends UDP traffic to lists of generated IPs and ports. Figure 2 illustrates all of the UDP activity, for ports greater than 1024, that was observed by the Symantec DeepSight Threat Management System between February 18 and March 3, 2009.
Figure 2. UDP activity for ports greater than 1024, between February 18 and March 3, 2009.
The Symantec DeepSight Threat Management System registered a sharp increase in this UDP traffic beginning March 4. This coincides with the date that the W32.Downadup.C update was pushed out to W32.Downadup.B hosts. The large increase in UDP activity indicates that a significant number of systems infected with W32.Downadup.B began performing UDP P2P peer discovery to random target IPs. This is the behavior of the initial P2P setup (bootstrap) routines for W32.Downadup.C.
Figure 3. UDP activity for ports greater than 1024, between March 4 to 18, 2009.
The main purpose of the P2P functionality is to allow the authors to push out signed updates to the W32.Downadup.C infected systems. Essentially, this threat has evolved from an Internet worm (potentially a test phase) to a functional back door/bot. The P2P network makes it difficult to dismantle the Downadup network because there is no centralized command-and-control system in place.
In addition to the P2P update, the now ancillary HTTP update method was also refined. This method now generates 50,000 domains a day, and randomly selects a subset of 500 domains that it checks daily for updates that are cryptographically signed by the author of the malware.
As for how this network will be used, there is still no indication as of yet.