1. /
  2. Security Response/
  3. W32.Downadup

W32.Downadup

Risk Level 2: Low

Discovered:
November 21, 2008
Updated:
May 20, 2013 4:52:53 PM
Also Known As:
Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
CVE References:
CVE-2008-4250
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Network shares
2. Infection method
2.1 Remotely exploitable vulnerability
2.2 Removable drives
2.3 Network shares
2.4 Universal Plug and Play
2.5 Peer-to-peer payload distribution
3. Functionality
3.1 Installation
3.2 System modifications
3.3 Network activity
3.4 Additional Functionality
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Downadup uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. It copies itself and an accompanying configuration file called autorun.inf to removable drives. Autorun.inf is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. This means that the worms are able to spread when the drives are inserted into a computer.

This feature should be disabled so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.

Removable drives should also be disconnected when not required and if write access is not required, enable the read-only mode if the option is available on the drive.


1.2 Patch operating system and software
Users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

This threat is known to be spread by exploiting certain vulnerabilities. Installation of the following patch will reduce the risk to your computer.

Microsoft Security Bulletin MS08-067


1.3 Network shares
This threat is also known to spread inside large network by using shares, the following steps can help protect your computer against this threat.
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters, and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.



2. INFECTION METHOD
W32.Downadup is the most prolific worm in recent times, initially spreading rapidly when the first variant appeared to possibly more than 500,000 computers.


2.1 Remotely exploitable vulnerability
It uses a remote procedure call (RPC) exploit as its main vector for propagation. This exploit is only effective against computers that have not applied the patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), targeting TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:
http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]

The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

In addition, the ability to exploit the vulnerability requires knowledge of both the operating system (OS) version (e.g. Windows XP vs. Windows 2003) and the language of the targeted computer.



The threat determines the version of Windows the remote host is running by fingerprinting the remote host by sending an SMB Session Setup Request. It then determines the language by using IP geo-location. By looking up the remote machine's IP address in the geo-location information, Downadup is able to match the IP address to a country and then maps that country to a particular language. Downadup's geo-location data appears more effective for certain countries, such as China and Argentina.

People using illegal copies of Windows are more likely to disable automatic updates from Microsoft making it highly unlikely that many of these users are manually installing critical updates, such as MS08-067, which is the update for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, increasing the number of computers that can be infected.

However, a limiting factor to its success was that its propagation routine depended on a publicly available GeoIP data file used to determine IP location. When the GeoIP service providers decided to remove it from the location called by the worm, the absence of this file made it difficult for the worm to spread as rapidly, reducing its propagation capacity local networks already infected.



To circumvent this minor setback, the Downadup authors then created a new variant — W32.Downadup.B — that contained the missing GeoIP capability. They also added the ability to copy itself to removable drives, network shares protected by weak passwords, and takes advantage of Universal Plug and Play to pass through routers and gateways.


2.2 Removable drives
Downadup copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer. It also uses a social engineering technique to trick the user into running the file. The malware author makes the executable worm file look like an innocent folder. Unsuspecting users will then double click on the folder icon thinking that it indeed is a folder, rather than the executable file that it is.



Most users just double click on the pop-up box that appears when they insert a removable drive into a computer without reading the pop-up box carefully. But even those that are savvy computer uses and read the pop-up box carefully may still be mislead into thinking that they are opening a folder instead of actually running a file.


2.3 Network shares
Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. It enumerates all of the servers in the network by making a NetServerEnum request, which returns all of the visible Windows machines on the network. Downadup then attempts to infect each of these machines.

To become authenticated, the credentials of the locally logged-on user are tried first. However, if that does not work, Downadup begins trying different user name and password pairs.

The remote server is queried for all of the user names available. Fortunately, most Windows XP and later systems will not provide this information by default and in those cases all of the user names on the local machine will be used instead. The worm then tries to connect to the remote server with each user name and a variety of passwords that include the user name, the user name concatenated together twice (e.g. joesmithjoesmith), the user name reversed (e.g. htimseoj), and the following common passwords:
  • 000
  • 0000
  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 111
  • 1111
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123
  • 123123
  • 12321
  • 123321
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 222
  • 2222
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 321
  • 333
  • 3333
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 4321
  • 444
  • 4444
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 555
  • 5555
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 666
  • 6666
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 777
  • 7777
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 888
  • 8888
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 999
  • 9999
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaa
  • aaaa
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • file
  • files
  • foo
  • foobar
  • foofoo
  • forever
  • freedom
  • fuck
  • games
  • home
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • job
  • killer
  • letitbe
  • letmein
  • login
  • Login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass
  • pass1
  • pass12
  • pass123
  • passwd
  • password
  • Password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqq
  • qqqq
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • sql
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp
  • temp123
  • temporary
  • temptemp
  • test
  • test123
  • testtest
  • unknown
  • web
  • windows
  • work
  • work123
  • xxx
  • xxxx
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzz
  • zzzz
  • zzzzz

Depending on the account lockout settings, multiple failed authentication attempts by the worm may result in those accounts becoming locked out. This symptom was commonly reported in networks with computers infected by Downadup.

If successful, the worm copies itself to the share as the following file:
[SHARE NAME]\ADMIN$\System32\[RANDOM FILE NAME].dll




2.4 Universal Plug and Play
As detailed above, Downadup infects other machines through a remote procedure call (RPC) exploit against the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability connecting directly to a vulnerable computer. However, many home users today use routers or other firewalls and Internet gateway devices that by default prevent external machines from connecting to their home machines preventing infection from Downadup.

To bypass this issue, Downadup uses the Universal Plug-and-Play (UPnP) protocol. The UPnP protocol is supported by default in many common gateway devices that are in use in home user environments. Downadup utilizes UPnP's discovery protocol, which is based on the Simple Service Discovery Protocol (SSDP). The discovery protocol allows machines on the network to find gateway devices that are also on the network.

As part of SSDP, Downadup sends an M-SEARCH request to the multicast address 239.255.255.250 on UDP port 1900 and then listens for responses.

Here is an example of the contents of an M-SEARCH request packet:

M-SEARCH * HTTP/1.1HOST: 239.255.255.250:1900ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1MAN: “ssdp:discover”MX: 3

If a matching device exists on the network, the device will respond with a message that contains an additional URL that provides information about the device and the services the device supports. After verifying the device is suitable, Downadup sends a request to ensure the device is currently connected on the external wide area network (WAN) interface.

Next, it sends a command to the device to obtain the external IP address. Finally, Downadup creates a new port forwarding entry and it attempts to use port 80 for the external port and the internal port is randomly generated. If the configuration change fails, two more attempts will be made, but with a randomly generated external port number between 1024 and 10000. Once a bridge has been established, this facilities the delivery of the worm payload.




2.5 Peer-to-peer payload distribution
The worm uses a (potentially inefficient) peer-to-peer (P2P) mechanism that allows it to share files between infections. During the process shown below, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup-infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode. If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine using HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files.

Downadup can transfer multiple payload files using this mechanism. Each is possibly encrypted (or at least digitally signed) and contains a header containing a file identifier and a date timestamp. The file identifier allows the worm to check if it already knows about this file and determine if it needs to be updated. The date timestamp is used as an expiration date and if the file is past its expiration date, it is discarded. The payload files are continually reviewed and those that are past their expiration are culled. These payload files are then saved in the registry and provided when other peers request them as well as allowing the payload files to be maintained when the compromised computer restarts. These payload files can then either be saved to disk and executed or loaded directly to memory. Thus, additional payload files can end up being executed with no files hitting the disk.





3. FUNCTIONALITY

Note: Side effects created by associated threats are not included in this report.


3.1 Installation
When Downadup is executed, it creates any one of the following files depending on the variant:
  • %Temp%\[RANDOM FILE NAME].exe
  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %System%\000[RANDOM FILE NAME].tmp
  • %Temp%\[CLSID 3]\[NUMBER].tmp

Note:
  • [CLSID 3] is generated from the serial number of the compromised computer and hence will vary.
  • [NUMBER] is a decimal number between 0 and 63 inclusive.

The worm also creates any of the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe [RANDOM DLL FILE NAME], [RANDOM PARAMETER STRING]"

It then drops the following file and runs it as a randomly named service driver:
%System%\0[RANDOM FILE NAME].tmp

The driver modifies the following file in order to increase the number of concurrent network connections available on the compromised computer:
%System%\drivers\tcpip.sys

The worm also modifies the following registry entry so that the worm spreads more rapidly across a network:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"


3.2. System Modifications
The following side effects may be observed on computers compromised by members of this threat family.


Files/folders created
One or more of the following files:
  • %Temp%\[RANDOM FILE NAME].exe
  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %System%\000[RANDOM FILE NAME].tmp
  • Temp%\[CLSID 3]\[NUMBER].tmp

Note:
  • [CLSID 3] is generated from the serial number of the compromised computer and hence will vary.
  • [NUMBER] is a decimal number between 0 and 63 inclusive.


Files/folders deleted

None


Files/folders modified
%System%\drivers\tcpip.sys


Registry subkeys/entries created
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "[RANDOM DLL FILE NAME]", [RANDOM PARAMETER STRING]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\"ImagePath" = "%System%\svchost.exe -k netsvcs"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM CHARACTERS]\Parameters\"ServiceDll" = "[PATH TO THE THREAT]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
  • HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Applets\"ds" = [ENCRYPTED DLL]
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\"ServiceDll" = "[PATH TO WORM]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 1]
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\[CLSID 2]\"[WORD 1][WORD 2]" = "[BINARY DATA]"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Type" = "4"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Start" = "4"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"

Note:
  • [CLSID 1] is generated from the serial number of the compromised computer and hence will vary.
  • [CLSID 2] is generated from the serial number of the compromised computer and hence will vary.
  • See W32.Downadup.C for the list that [WORD 1] and [WORD 2] are randomly selected from.
  • [WORM GENERATED SERVICE NAME] represents a two word combination taken from a list of the following words:
    • Boot
    • Center
    • Config
    • Driver
    • Helper
    • Image
    • Installer
    • Manager
    • Microsoft
    • Monitor
    • Network
    • Security
    • Server
    • Shell
    • Support
    • System
    • Task
    • Time
    • Universal
    • Update
    • Windows


Registry subkeys/entries deleted

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"


Registry subkeys/entries modified (final values given)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"

3.3 Network Activity
The threat may perform the following network activities.


Downloading
The worm generates a list of domain names in the following format:
[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]

Note:
  • [GENERATED DOMAIN NAME] represents the domain names created by the worm, which changes on a daily basis. See W32.Downadup.B for an example.
  • [TOP LEVEL DOMAIN] represents the following top level domains:
    • .biz
    • .info
    • .org
    • .net
    • .com
    • .ws
    • .cn
    • .cc

The worm then contacts the following remote location based on the domain names generated:
http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d

It will then download an updated copy of itself from the above remote location.

Initial variants of Downadup generated up to 250 domains each day to contact for commands and updates. When it became clear that this number was not enough to prevent the IT security industry from taking steps to block access and monitor their activities, the creators of Downadup decided to up their game.

Later variants of the threat (W32.Downadup.C and later) used a 50,000-a-day domain generation algorithm, which uses one of a possible 116 domain suffixes. The pseudo random number generation (PRNG) algorithm used relies on a seed value that will be the same across all infected systems every day. The seed is generated using a set of 64-bit mathematical operations using both static values and the numeric values of the current year, month, and day. These values are three numbers used respectively as multiplier (M), divisor (D), and additive (A) constant. The PRNG routine is a 200-byte piece of code that performs different floating-point operations and uses a second internal multiplier value (M2), which is also hardcoded.

While the possible domains that may be contacted by the worm were well known, it became more difficult to defend against it due to the increased number of possible domains used. It is impractical to actively monitor or block such a large number of domains on a daily basis.


Uploading
None


Other network activity
The worm periodically contacts the following sites to check the speed of the current Internet connection:
  • myspace.com
  • msn.com
  • ebay.com
  • cnn.com
  • aol.com

The worm also connects to the following URL to get the IP address of the compromised computer:
  • checkip.dyndns.com
  • checkip.dyndns.org
  • www.findmyip.com
  • www.findmyipaddress.com
  • www.ipaddressworld.com
  • www.ipdragon.com
  • www.myipaddress.com
  • www.whatsmyipaddress.com
  • www.getmyip.org
  • getmyip.co.uk

It also connects to the following Web sites to obtain the current date and time:
  • ask.com
  • baidu.com
  • facebook.com
  • google.com
  • imageshack.us
  • rapidshare.com
  • w3.org
  • yahoo.com
  • msn.com
  • aol.com
  • cnn.com
  • ebay.com
  • myspace.com


3.4 Additional Functionality

DNS Blocking
The worm prevents the compromised computer from accessing a variety of domains of which are mostly well-known security websites. It does this by monitoring DNS requests to domains containing any of the following strings and blocks access to these domains so that the DNS request appears to have timed out:
  • activescan
  • adware
  • agnitum
  • ahnlab
  • anti-
  • antivir
  • arcabit
  • avast
  • avg.
  • avgate
  • avira
  • avp.
  • av-sc
  • bdtools
  • bit9.
  • bothunter
  • ca.
  • castlecops
  • ccollomb
  • centralcommand
  • cert.
  • clamav
  • comodo
  • computerassociates
  • confick
  • coresecur
  • cpsecure
  • cyber-ta
  • defender
  • downad
  • doxpara
  • drweb
  • dslreports
  • emsisoft
  • enigma
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • freeav
  • free-av
  • fsecure
  • f-secure
  • gdata
  • gmer.
  • grisoft
  • hackerwatch
  • hacksoft
  • hauri
  • honey
  • ikarus
  • insecure.
  • iv.cs.uni
  • jotti
  • k7computing
  • kaspersky
  • kav.
  • kido
  • llnw.
  • llnwd.
  • malware
  • mcafee
  • microsoft
  • mirage
  • mitre.
  • msdn.
  • msft.
  • msftncsi
  • ms-mvp
  • msmvps
  • mtc.sri
  • nai.
  • ncircle
  • networkassociates
  • nmap.
  • nod32
  • norman
  • norton
  • onecare
  • panda
  • pctools
  • precisesecurity
  • prevx
  • ptsecurity
  • qualys
  • quickheal
  • removal
  • rising
  • rootkit
  • safety.live
  • sans.
  • secunia
  • securecomputing
  • secureworks
  • snort
  • sophos
  • spamhaus
  • spyware
  • staysafe
  • sunbelt
  • symantec
  • technet
  • tenablese
  • threat
  • threatexpert
  • trendmicro
  • trojan
  • vet.
  • virscan
  • virus
  • wilderssecurity
  • windowsupdate


Disabling of security settings
The threat disables the following services:
  • BITS (a service that downloads and delivers Windows updates in the background)
  • ERSvc (the service that creates the error report sent to Microsoft)
  • WerSvc (the Windows Error Reporting Service)
  • WinDefend (a service for Windows Defender)
  • wscsvc (Windows Security Center Service that runs the Windows Security Center)
  • wuauserv (the on-demand Windows Update service)

It then lowers security settings by deleting the following registry entry to prevent automatic startup of certain software:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

Next, it disables Windows Security Alert notifications by deleting the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}


Distribution of fake antivirus software

The first Downadup variant had a payload delivery date of December 1, 2008 after its initial release. It attempted to download its payload file from trafficconverter.biz/4vir/antispyware/loadadv.exe. While W32.Downadup was not able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antivirus products) onto compromised computers.

As the purpose of trafficconverter.biz (which is the same as traffic-converter.biz, and later, trafficconverter2.biz) was to recruit affiliates to help install misleading applications, it's clear that one of Downadup's purposes is to divert compromised computers to sites hosting misleading applications, from which Downadup's authors receive monetary rewards.


Distribution of other malware
Utilizing its peer-to-peer botnet, Downadup also distributes W32.Waledac onto compromised computers. As Waledac performs various malicious actions, there may be numerous motivations for distributing it but evidence suggests that Downadup may well be a botnet for hire.


Self-deletion
W32.Downadup.E removes itself from the system on or after May 3, 2009. It appears this variant’s only purpose is to distribute W32.Downadup.C and hence it deletes itself once it has accomplished this mission.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Jarrad Shearer
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver