Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

W32.Downadup.E—Back to Basics

Created: 09 Apr 2009 20:16:59 GMT • Updated: 23 Jan 2014 18:36:04 GMT
Patrick Fitzgerald's picture
+1 1 Vote
Login to vote

Once again we find ourselves sucked into a maelstrom of questions and uncertainty surrounding the threat W32.Downadup, which is now a household name (just in case you haven't heard of it, it’s also known as Conficker). I’m sure that the people working in the security industry can marvel at their loved ones finally taking an interest in their job, which for once has gone past feigned interest and polite smiles. So, what have the little scamps behind W32.Downadup been up to this time?

Yesterday, Brian Ewell wrote about new developments regarding W32.Downadup in his blog entry entitled Downadup + Waledac. That blog mentioned some differences in functionality and put forward a possible association with Waledac. Today’s post will provide some more details about these differences.

We observed W32.Downadup downloading a binary over its peer-to-peer mechanism. The downloaded binary incorporates the spreading mechanisms used by W32.Downadup.A. However, this binary is a new variant and is detected by Symantec products as W32.Downadup.E.

1. It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.
2. The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
3. This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
4. This worm has the UPnP capabilities that we saw in previous versions of Downadup. The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks.
5. W32.Downadup.E will remove itself from the system on or after May 3, 2009.

The ultimate purpose of W32.Downadup.E is to install W32.Downadup.C on vulnerable systems. W32.Downadup.C will not be removed after May 3, 2009. When W32.Downadup.C first appeared, analysis of the code suggested that the authors wanted to consolidate the position of the botnet by removing the worm capabilities. Now it appears that the authors have been refactoring their code in favor of a more modular design. With this new approach, Downadup now employs a two-phase approach. The noisy behavior associated with the spreading mechanisms has been separated from the relatively quiet behavior observed with W32.Downadup.C.

So, the development cycle continues, but this latest incident may have given a glimmer of insight into the underlying purpose of this botnet. As mentioned earlier this threat downloads and installs W32.Waledac onto the compromised system. This is yet more evidence that this is a botnet for hire and the motivations are merely financial—hardly surprising given the global economic climate.

Symantec customers are protected from this latest threat, since our behavior-based heuristics picked this up when it appeared. Keep your antivirus up to date, stay patched, and stay safe. The technical write-up on this latest Downadup variant can be found here.

Note: Big thanks to Ka Chun Leung and Sean Kiernan for their analysis of these threats.
















Message Edited by Trevor Mack on 04-10-2009 10:38 AM