|
Details:
Arrival Details
Variants of this worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
They may be dropped by the following malware:
They may also arrive via removable drives, network shares, or through a vulnerability.
Installation
Variants of this worm drop the following copies of themselves:
- %System%\{random file name}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
They may also drop other copies in the following folders:
- %Application Data%
- %Program Files%\Internet Explorer
- %Program Files%\Movie Maker
- %Program Files%\Windows Media Player
- %Program Files%\Windows NT
- %Temp%
- Default system directory
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003. %Program Files% is the default Program Files folder, usually C:\Program Files. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)
They also check the current operating system of an affected machine. Depending on the OS in use, a variant may inject its malware process into either SVCHOST.EXE or SERVICES.EXE.
Autostart Technique
Variants of this worm register themselves as system services to ensure their automatic execution at every system startup. They do this by creating the following registry keys and entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}
Image Path = "%System Root%\system32\svchost.exe -k netsvcs"
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random service name}\Parameters
ServiceDll = "{malware path and file name}"
They also add an entry in the value data list of the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
The added value data is the random service name this worm creates.
Other variants also perform several registry entry modifications to disable services, hide files, and to allow for simultaneous network connections.
Other System Modifications
Variants of this worm exhibit the following routines:
- Blocks access to antivirus-related sites/URLs
- Disable services, such as Windows Automatic Update Service (wuauserv)
- High traffic on affected system's port 445 upon successful exploitation
- Existence of {Random file name}.dll and AUTORUN.INF in all mapped drives
- Existence of {Random file name}.dll and AUTORUN.INF on internet explorer and movie maker folder under program files directory
- It hides hidden files in Folder Options
- It attempts to connect to several URLs to download a file that indicates the location of the affected system
- Users cannot login using their windows credentials because it is locked out
- Deletion of a registry key to prevent system startup even in safe mode
Some variants are capable of generating domain names, which range from 250 to 50,000 URLs. While the worm only attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet.
Propogation Routines
Propagation via Vulnerability
Variants of this worm propagate in two ways from which they are achieved by taking advantage of a vulnerability discovered in certain Microsoft operating systems that could allow remote code execution if an affected system received a specially crafted RPC request, which also contains a shellcode. More information on the said vulnerability can be found in the following link:
Once this specially crafted RPC request reaches its target vulnerable system, the shellcode is decrypted, and then retrieves certain APIs capable of downloading a copy of the worm from the affected system, which is already converted into an HTTP server. The affected system then opens a random TCP port, allowing the vulnerable machine to connect to itself using the following URL:
- http://{IP address of the affected machine}:{random port}/{malware file name composed of random characters}
During this exploit, a high traffic on TCP port 445 is seen since this is the port that a variants of this worm use.
When the copy of the worm is being downloaded from the affected system to the vulnerable system, the worm modifies its packet header to make itself appear as a harmless JPEG file, when in fact, it is actually an executable file. It does this to avoid detection by the network firewall or system security applications. If an unpatched system continues to receive malicious packets, the said system may eventually crash.
The downloaded copy of the worm is saved as X in the Windows system folder.
Variants of this worm are also capable of propagating over the Internet by attempting to send the exploit code to a random Internet address. They first broadcasts the opened random port that serves as an HTTP server so that it is accessible over the Internet.
They then get the external IP address of the system to check if it has direct a connection to the Internet. They perform the routine to launch the exploit code over the Internet if the affected system has a direct connection to the Internet by checking the external IP address and the configured IP address in the ethernet or modem driver.
They also attempt to connect any of the following URLs to determine the IP address of the affected computer:
- http://checkip.dyndns.org
- http://getmyip.co.uk
- http://www.getmyip.org
After getting the IP address of the system, variants of this worm check if the said IP address is valid and is not a local IP address. They also checks if the external IP address is the same with the configured IP address on the system.
Note that they make the random ports they use available online by broadcasting the port over the Internet via an Simple Service Discovery Protocol (SSDP) request.
Propagation via Network Shares
Some variants use the NetUserEnum function to get available lists of user names and its list of password to successfully connect to a network share. Upon successful propagation via network share, it drops a copy of itself on Admin$\system32 and a scheduled task (located at %systemroot%\tasks). The scheduled task is intended to automatically execute the dropped malware copy in Admin$\system32.
Hence, a target machine with weak password can be repeatedly attacked by a system infected with WORM_DOWNAD. This can be indicated by detections on Windows system folder.
Propagation via Removable Drives and Network Drives:
Upon successful enumeration of drives, DOWNAD variants may drop a copy of itself along with the file AUTORUN.INF. The AUTORUN.INF is intended to automatically execute the dropped malware copy on the enumerated drive. A target machine mapped to an infected drive can encounter repeated detection on the mapped drive. The path of the dropped file is usually {Drive}\Recycler\s-xxxxxxxxxxx.
What's the goal of this worm?
It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.
Trend Micro has published information on this threat which can be found on the following pages:
Affected Platforms
WORM_DOWNAD variants run on Windows NT, 2000, XP, and Server 2003.
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
