Editor’s Note: This is the fifth installment of a multi-part series on specific and interesting aspects of W32.Downadup.
The ability of a threat to widely replicate often depends on its algorithm of finding other computers on the Internet, which are represented by an IP address. Downadup uses a variety of techniques to scan for new machines in order to maximize its infection abilities and at the same time minimize the chance of being noticed on a host.
Brute-force network scanning can cause noticeable slowdowns and network issues on the infected machine. Downadup attempts to limit its impact in two ways. Firstly, the worm contacts two well known websites and calculates the computer’s average bandwidth, then uses this value to configure how many simultaneous remote procedure call (RPC) exploit scans are allowed at one time. Secondly, a pause—between 100 milliseconds and two seconds—is taken after each scan, depending on the type of scan and if the computer is currently being used. (Downadup checks active usage by determining if a keystroke was made in the previous five minutes.)
Downadup attempts four different scans that are repeated in an infinite loop. It scans for machines on the same subnet; machines it has successfully infected previously; machines nearby those already infected; and randomly selected machines.
First, Downadup sequentially scans all the IPs in the same subnet of the infected machine, starting from the first IP in the subnet. This can include multiple subnets for multi-homed machines (machines with more than one IP address).
Next, Downadup attempts to exploit previously infected machines. This serves two purposes—one, to re-infect machines that may have been cleaned up and two, to initiate the peer-to-peer (P2P) communication channel to receive payload files (as described in the blog article Downadup: Peer-to-Peer Payload Distribution). The worm only remembers the last 100 successfully infected machines.
Then, Downadup begins generating random IP addresses to attack. In addition to what is likely a bug rather than a feature in the random generation routine, certain IP addresses are ruled out, therefore potentially limiting certain networks from being attacked. Downadup is only able to generate approximately a quarter of the four billion possible IP addresses, which limits its ability to reach certain IP addresses via the RPC exploit.
Finally, in parallel, Downadup will also scan machines near other machines that were successfully exploited. For each exploited machine, Downadup scans the class C-sized (/24) block of the IP address and the previous ten class C-sized (/24) blocks. For example, if the successfully exploited machine is 126.96.36.199, Downadup will scan the range 188.8.131.52 to 184.108.40.206.
Further, Downadup doesn’t scan every IP address in the calculated ranges. For example, invalid IP ranges such as 127.x.x.x or 169.254.x.x. are skipped. But more importantly, Downadup carries a large blacklist of IP ranges that belong to security vendors. A snippet of the list is show below.
By not attempting to exploit security vendors, Downadup potentially avoids honeypot systems. This blacklist is also used to reject back-connect attempts as well, preventing security vendors from contacting infected hosts and gaining payload files.
Downadup will then refresh the list of IP addresses configured on the local machine. If any have changed since any of the related scans started, the scans will be terminated because the exploit is designed to connect back to the previously configured IP address.
Knowing what IP address to connect back to raises another issue for Downadup. With many home users behind wireless routers, firewalls, and using network address translation (NAT), many infected machines are normally not contactable from external machines. Downadup goes to great lengths to bypass these issues. We’ll investigate these techniques in a future blog article in this W32.Downadup series.