The Downadup Codex (Conficker, April fool virus, Kido)

Conficker, the worm that exploded into prominence in January when it infected millions of machines, exploiting an alreadypatched bug in Windows that Microsoft had thought dire enough to fix outside its usual update schedule. The worm hijacked a large number of PCs - estimates ranged as high as 12 million at one point - and then assembled them into a massive botnet able to spread malware, plant fake antivirus software or distribute huge amounts of spam. It all started in late-October of 2008, we began to receive reports of targeted attacks taking advantage of an as-yet unknown vulnerability in Windows remote procedure call (RPC) service. Microsoft quickly released an out-of-band security patch (MS08-067), going so far as to classify the update as critical for some operating systemsthe highest designation for a Microsoft Security Bulletin. It didnt take long for malware authors to utilize this vulnerability in their malicious code. In early November, W32.Kernelbot.A and W32.Wecorlappeared, demonstrating limited success in exploiting MS08-067. Still much of the talk at the time focused on the potential havoc that could be caused by this vulnerability, as opposed to damage caused by these threats. It wasnt until late November that W32.Downadup appeared (also called Conficker by some news agencies and antivirus vendors). This threat achieved modest propagation success, partly due to its borrowing from the work of the Metasploit Project, which had been actively developing more reliable proof-of-concept methods to take advantage of the vulnerability.

This was one thing that set the Downadup worm apart from its counterparts of the last few years its technical versatility. These secondary tricks werent new; there were just so many of them. It scanned the network for vulnerable hosts, but didnt flood it with traffic, selectively querying various computers in an attempt at masking its traffic instead. It attempted to brute force commonly used network passwords. It took advantage of Universal Plug and Play to pass through routers and gateways. And when the network proved too secure, it used a rather clever AutoPlay trick to get users to execute it from removable drives. The threat even protected itself from takeover. Transferred payload files were encrypted, as well as digitally signed, and only the Downadup authors had the key. A hot patching routine for MS08-067 prevented further exploitation by other attackers or threats. The threats authors went to great lengths to prevent buffer overflow exploitation of their own code. No one was going to hijack this worms network of potential bots. But the hidden danger behind all of this was the potential payload Downadup contained the ability to update itself or receive additional files for execution. Again, not a new technique, but in this case the threat was generating a list of 250 new domains to connect to every day. Any one of these domains could potentially contain an update that, if downloaded, would allow the threat to perform further malicious actions. What sort of actions? Anything the authors wanted really. Not only that, but the threat contained its own peer-to-peer (P2P) updating mechanism, allowing one infected computer to update another. Blocking access to the domains might protect you from one vector, but blocking a P2P update is a different matter. Infection rates began to decline in mid-February, as news of the threat spread and network administrators that had not applied MS08-067 scrambled to protect their networks. This

could be in part due to the fact that, with propagation success, the threat garnered a significant amount of attention. The domains meant to update the threat were being closely watched by security vendors, researchers, and the media. This attention isnt surprising given the threats complexity and the way it has utilized so many time-tested malicious code tricks, reinventing a few along the way. There is no doubt that Downadup has been the hot topic for 2009.