Since its discovery by Symantec in November 2008, the malicious W32.Downadup worm has infected millions of systems worldwide. In an effort to reduce the continued propagation of the worm, Symantec is collaborating with a range of global technology industry leaders and academics in order to mitigate the risks associated with such a large network of infected systems.
Along with Symantec, the organizations involved in this collaborative effort include: Microsoft, ICANN, Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
The group’s first goal is to target the update mechanism of W32.Downadup, which relies on checking a daily list of 250 domains for updates. In order to deny attackers access to these domains, the pseudo-random domain generation algorithm used by W32.Downadup has been reverse-engineered and Symantec has preemptively registered some domain names. This proactive step prevents updates from being sent to the W32.Downadup.A variant and limits the W32.Downadup.B variant to only using its peer-to-peer (P2P) update mechanism. The domains that have been registered are now being directed to servers that are logging and tracking the infected systems. By sharing resources and expertise, this collaborative cross-industry effort is not only protecting infected systems from further damage, but also providing security to the Internet community on the whole.
The millions of systems infected by W32.Downadup pose a risk to Internet users as well as to the infrastructure of the Internet. Under the control of attackers, the millions of infected systems could be used to launch distributed denial-of-service (DDoS) attacks against specific users or organizations, crippling their ability to function on the Internet. Additionally, the infected systems could be used to deploy further threats, such as seeding a new worm that targets a more recent or undisclosed vulnerability. Such a large launch base could allow the attackers to skip the slowest part of a worm’s propagation cycle and the new worm would have millions of hosts scanning and attacking from the moment of its inception. Administrators could find themselves without the time to respond to, or guard against, the dissemination of the worm (by deploying patches, for example, or implementing mitigation strategies before the worm reached their network).
The attackers’ motive of infecting an increasing number of machines using multiple propagation vectors was clearly illustrated when W32.Downadup.B was introduced with the ability to spread using removable media and network shares. In the past five days, Symantec has observed averages of 453,436 IP addresses infected per day with W32.Downadup.A and 1,745,231 IP addresses infected per day with W32.Downadup.B.
W32.Downadup is the first successful worm to target a vulnerability in a remote service since W32.Sasser in 2004, and in doing so it has shown that the Internet is still a successful breeding ground for worms. It has also demonstrated that the efficiency and sophistication of attackers’ methods have also improved. For example, in the spirit of reducing the duplication of effort, W32.Downadup ported an exploit from the Metasploit framework. In order to reduce the number of failed exploit attempts a geo-location database was used to map target IP addresses to countries, allowing W32.Downadup to make a more informed estimate of the targeted operating systems’ build type.
Additionally, to capitalize on the networks that were penetrated with an infected host, W32.Downadup.B employs attacks against network shares. W32.Downadup.B also leverages the popularity of portable media and storage devices by incorporating an “autorun” attack that helps the worm to be carried from one network to another, bypassing firewalls at the network perimeter. These two additional propagation vectors have aided the increase of W32.Downadup.B’s propagation to almost four times that of W32.Downadup.A.
To prevent other attackers from hijacking the infected systems, W32.Downadup.B uses a digital signature to verify that updates are actually coming from the original authors. In contrast to the technology industry leaders group that is working together with a common goal, attackers are becoming increasingly competitive in maintaining exclusive control over compromised systems so that they can protect what is often a common motive of financial gain.
Symantec is continuing to work with other industry leaders to mitigate the spread and damage caused by W32.Downadup. The most effective step that organizations and end users can take is to ensure that their computers have up-to-date antivirus software.
Message Edited by Trevor Mack on 04-03-2009 12:51 PM