Editor’s Note: This is the seventh installment of a multi-part series on specific and interesting aspects of W32.Downadup.
While Downadup’s RPC exploit method of spreading has been highlighted in several recently posted blog articles, the worm spreads via other methods as well. One of the potentially more noticeable methods is through network shares, especially in enterprise environments.
Downadup attempts to copy itself to other machines using the administrative network share (ADMIN$) that exists by default on Microsoft Windows machines. However, copying itself to the share requires authentication. This requirement leads to some noticeable side effects.
Downadup first enumerates all of the servers in the network by making a NetServerEnum request, which returns all of the visible Windows machines on the network. Downadup then attempts to infect each of these machines.
To become authenticated, the credentials of the locally logged on user are tried first. However, if that does not work, Downadup begins trying different username and password pairs.
The remote server is queried for all of the usernames available. Fortunately, most Windows XP and later systems will not provide this information by default and in those cases all of the usernames on the local machine will be used instead.
Rich with usernames, Downadup now tries to connect to the remote server with each username and a variety of passwords, including:
• The username
• The username concatenated together twice (e.g. joesmithjoesmith)
• The username reversed (e.g. htimseoj)
• Almost 250 common passwords such as “password”, “123”, and “admin”
Although it is potentially clever, an immediate side effect of this password guessing is a rush of incoming calls to enterprise IT helpdesks from users who have been locked out of their account due to security policy rules that cause account lockout after several invalid attempts. This side effect can become even more problematic because Downadup does have the ability to enumerate all existing usernames; therefore, account lockout can suddenly occur for all of the users in an organization even if only a single user or machine is infected.
A snippet of some of the passwords used
If Downadup correctly guesses a password before being locked out, it will copy itself to the System32 directory on the remote machine via the administrative share (ADMIN$) as a random filename with a random extension. (Later, when the file is executed, it will remove itself and copy itself as another random filename with the extension “DLL”.) The file time of the file is then changed to the same file time as kernel32.dll to avoid suspicion.
Once the file is placed on the remote machine, it still needs to be executed. A scheduled job on the remote machine is created so that the file is executed on the next hour, based on the local time of the infecting machine. So, if the infecting machine time is 2:36 PM, the remote machine will have a scheduled job at 3:00PM to execute the file. Execution actually happens via rundll32.exe because the file copied over is a DLL.
After all servers, usernames, and passwords are tried, Downadup will wait 40 minutes and then try all over again. This of course has the potential to cause accounts to be locked out again, resulting in yet more IT helpdesk calls.
This blog series on W32.Downadup will be concluded early next week. Keep up-to-date with the continued analysis and the conclusions by subscribing to the Symantec Security Response Blog RSS feed (http://www.symantec.com/xml/rss/srblogs.jsp).