As mentioned in a recent blog, Symantec is aware of the exploitation of a previously unknown and unpatched vulnerability affecting the Microsoft Video Streaming ActiveX control. Initially, there were limited in-the-wild attacks; however, new developments indicate that the flaw is now being exploited to great extent in China and other parts of Asia. Reports indicate that thousands of websites have been compromised and are now hosting the exploit for this issue.
Our tests show that Microsoft Windows XP systems are affected, while Windows Vista systems do not seem to be affected by the attack. The flaw lies in the “msvidctl.dll” library and can be exploited by providing a crafted file as input to the “data” parameter of the “BDATuner.MPEG2TuneRequest.1” ActiveX object. The object is associated with the following...
Symantec’s Security Intelligence Analysis Team has collaborated with Nmap contributor Ron Bowes to aid in the development of an Nmap script that is able to detect hosts infected with W32.Downadup.C by enumerating the peer-to-peer (P2P) protocol used by the worm. The script has been made available to the public via nmap.org. The script has also been bundled in with the latest Nmap beta, nmap-4.85BETA8. If you are using an older version of Nmap that does not contain the Nmap scripting engine, you may want to download this updated version.
If you are new to using Nmap scripts I suggest that you check out Ron’s blog, which has lots of details on how to use the script with Nmap. Once you have located infected systems you can use the Symantec...
Sometime between March 4 and March 6, 2009, the authors of the Downadup worm pushed out a significant update to a portion of the Downadup network. Symantec Security Response engineers captured the update in one of their honeypots and quickly responded with definitions to protect against the threat. The history of this threat is quite interesting. Initially, the sole purpose of the worm was propagation, but it has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer (P2P) protocol. The following table is a brief summary of the evolution of this threat:
One interesting aspect of W32.Downadup.C is the omission of a propagation routine; this coincided with public reports...
Since its discovery by Symantec in November 2008, the malicious W32.Downadup worm has infected millions of systems worldwide. In an effort to reduce the continued propagation of the worm, Symantec is collaborating with a range of global technology industry leaders and academics in order to mitigate the risks associated with such a large network of infected systems.
Along with Symantec, the organizations involved in this collaborative effort include: Microsoft, ICANN, Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
As regular readers of the Symantec Security Response Blog know, we’ve been monitoring W32.Downadup statistics for some time. We’ve previously published two blog entries regarding infection statistics for both the .A and .B variants. The Symantec Intelligence Analysis Team has been monitoring infections since mid-December. We recommend that readers familiarize themselves with the information in the previous blogs, as well as the Symantec Security Response writeups for the worm, before reading the rest of this article.
The W32.Downadup.A worm was the first worm discovered in the wild that was successfully leveraging MS08-067 in a widespread fashion. Symantec carried out an in-depth analysis of this threat and discovered that infected hosts will generate 250 pseudo-random domain addresses each day, in preparation of attempting to contact them later on to download and execute an update binary.
This is an interesting and increasingly popular technique that malicious code authors have been deploying. It allows them to more easily evade domain and server takedowns, because until they choose to register a domain associated with a given day, the security industry is unable to know for sure which domain will be used and therefore has little to target. Fortunately, by reverse...
Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.
The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate...
