Editor’s Note: This is the sixth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
Among other methods, Downadup infects other machines via a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.
However, many home users today use routers or other Internet gateway devices that by default prevent external machines from connecting their home machines, in addition to using network address translation (NAT). This would normally prevent Downadup’s shellcode from successfully completing infection because the back-connect would fail.
To bypass this issue, Downadup needs to perform three actions; determine if the machine is behind a gateway device, obtain the IP address on the outside interface of the gateway device (this is the IP that is visible to external machines), and also make sure incoming connection attempts to certain ports on the gateway device are passed through to the internal machine. This is known as port forwarding. Downadup uses the Universal Plug-and-Play (UPnP) protocol to achieve these tasks.
The UPnP protocol is supported by default in many common gateway devices that are in use in home user environments. To achieve the first task, Downadup harnesses UPnP’s discovery protocol, which is based on the Simple Service Discovery Protocol (SSDP). The discovery protocol allows machines on the network to find gateway devices that are also on the network.
As part of SSDP, Downadup sends an M-SEARCH request to the multicast address 18.104.22.168 on port 1900/udp and then listens for responses. The M-SEARCH request requires a header known as the search target (represented by “ST”) that represents the types of devices or services Downadup is looking for. These are represented by universal resource identifiers (URIs). Downadup looks for the following four devices or services:
4. upnp:rootdevice (represents all UPnP devices)
Below is an example of the contents of an M-SEARCH request packet:
If a matching device exists on the network, the device will respond with a message that contains an additional URL that provides information about the device and the services the device supports. After verifying the device is suitable, Downadup sends a UPnP GetStatusInfo request to ensure the device is currently connected on the external wide area network (WAN) interface. This completes the first requirement of determining the infected machine is behind a gateway device.
Next, an UPnP GetExternalIPAddress command is sent to the device to obtain the external IP address, completing the second requirement of having the IP address on the external interface. This is the IP address that is visible to other machines on the Internet.
Finally, Downadup needs to port forward incoming requests through the gateway and to itself on the internal machine. A port forwarding request requires a few parameters; the relevant ones in this case are the port forwarding entry description, the external listening port, and the internal IP and port to forward to.
The description for the port forwarding entry is generated from the Volume Serial Number and the Computer Name of the infected system. This forms a relatively unique description. Downadup sends the GetGenericPortMappingEntry command to the gateway device to enumerate all of the existing port forwarding entries in order to see if any of the descriptions match the generated description. If they match, the worm assumes they are prior entries created by itself and are deleted using the UPnP DeletePortMapping command.
A new port forwarding entry is then added using an AddPortMapping request. Downadup attempts to use port 80 for the external port and the internal port is randomly generated. If the configuration change fails, two more attempts will be made, but with a randomly generated external port number between 1024 and 10000.
This completes the process, allowing back-connects to be passed from the external network into the internal network. It therefore allows Downadup to successfully complete its infection in common home user scenarios.
Astute readers may have noted that while this procedure allows Downadup to infect other machines when it is behind a gateway device, machines behind their own gateway devices are still protected (if they are dropping RPC and other network traffic). Unfortunately, Downadup can be introduced into a private network through other replication means and once inside a private network is vigorous in infecting the entire local network.
Advanced users may wish to consult their gateway device manual and determine if they can disable UPnP to prevent undesired modifications to their gateway security.