Of Bytes and Badges

For those of you who haven’t heard (that would be both of you), as has been shouted across CNN, The Guardian, Yahoo, and a million other places to varying degrees of accuracy, there is a worm on the loose.

Not surprised? You shouldn’t be. Last year’s endless supply of articles on Storm Worm, Srizbi, and their contemporaries could jade even the most fanatical malware researcher (guilty as charged). Storm Worm, aka Warezov, was especially closely-followed, in particular after researchers cracked its communications scheme and began researching its inner workings. With such new or newly-utilized techniques as P2P command and control, server-side polymorphism, fast flux, the use of rootkits and self-aware network defense, Storm Worm reached a peak of anywhere between 500,000 and a million infected hosts (according to Marshal) midway through September of last year, and was responsible for as much as 20% of all spam sent. That was impressive.

With the Storm Worm now in decline (perhaps pushed-aside for its creators’ new project, Waledec, responsible for a host of fake Obama sites as of late), a new botnet has taken the headlines, and in a Bush Doctrine “Shock and Awe” sort of way. Enter Downadup/Conflicker (hereon simply called Downadup for popularity’s sake, though Conflicker is a whole lot catchier).  Security software vendor F-Secure has seemingly taken the lead on Downadup research, rather creatively determining a method for counting the bot’s own reported number of infections, the details of which can be seen here.

How many infected hosts, you ask? As of Friday (and these things spread fast), just south of 9 million computers. By today (Monday), that number could well have climbed over 10 million, given the worm’s rapid spread over just the last week.

How does a worm of Downadup’s infancy manage to infect at least nine times as many systems as Storm Worm did in a considerably longer period? One particular reason comes to mind: propagation. Storm Worm was (in)famous for its method of spreading: sending e-mails to lure users into visiting a site purporting to be either a news page, a holiday-related site, or e-card scam, among numerous other spam campaigns. Once visited, the site would typically entice the user to click a link and run the downloaded program, adding their own machine to Storm’s burgeoning network. The bot would run in the background, silently connecting with other infected systems and receiving commands to send spam, commit DoS attacks, or whatever purpose the Storm Worm gang had rented-out their botnet to fulfill.

Social engineering regarding e-mail links, however, has historically had a low rate of return (though frustratingly high for how long such techniques have been in existance). In addition, the worm’s creators initially relied-upon user interaction, rather than server-side exploits, to ensure an infection. This further stymied their growth. Once the worm’s communication scheme was broken, the end was in sight, with the final nail in the coffin being Microsoft’s addition of the Storm Worm to their Malicious Software Removal Tool (MSRT). The botnet’s numbers easily halved overnight.

That being said, Downadup’s makers have taken things a step further. Downadup’s initial point of entry will likely remain unknown, but it spreads through several vectors (a blended threat):

• Remotely exploiting MS08-067, a vulnerability in the Windows Server service, especially critical on Windows 2000/XP/Server 2003. It was patched back in October.
• Attacking network shares by brute-forcing weak admin passwords, and
• Spreading via removable USB media, masquerading as the legitimate “Open folder to view files” button Windows displays when removable devices are inserted.

Clearly something that spreads by such varied methods will have much better success than a one-trick pony like Storm Worm. In addition, domains are created based-on the current date to allow for hard to track-down update sites (fast-fluxed, of course). Likewise, Downadup blocks access to legitimate security sites and even changes NTFS security permissions to resist removal.

Sounds bad, doesn’t it?

There is some reason for reassurance. Microsoft has stepped-up and added Downadup to its MSRT, though the same clients who choose not to install updates like MS08-067 may also choose not to run the tool when it’s pushed via Windows Update. With the level of visibility the worm is getting, however, it’s up to both the AV companies and sys/network admins to stay on top of this one. If Storm Worm’s polymorphic code and rootkit capabilities taught us anything, it’s that signature-based scanning is increasingly losing its potency, and heuristics had better learn to catch-up.

That, and when Microsoft releases patches out-of-cycle, for the love of God, PATCH!

- Dox