Modification of the Downadup worm - W32.Downadup.C.

Published on March 21, 2009

Modification of the Downadup worm - W32.Downadup.C.

Original author: Security Intel Analysis Team
  • Transfer

Remember the Downadup worm (Konficker, Kido) ? Do you think this is already the case of bygone days and you can forget about it?
You're wrong.

In early March, the authors of this worm released a new modification: W32.Downadup.C . In this modification, the authors removed the worm distribution code, completely removed. But he became much smarter at defending himself against detection and got new protected features for spreading new viruses in an infected botnet.

Surprisingly, the authors were not afraid and continue to prepare for the monetization of the botnet. Everyone thought that they would be frightened by the 250 thousand dollars proposed by Microsoft for the capture of the authors, and they would hide. But no - they continue to work.

So, who is interested in learning more about the new modification of the worm - read my translation of yesterday's article from the Symantec W32.Downadup.C Bolsters P2P blog :

Somewhere between March 4 and March 6, 2009, the authors of the Downadup worm published a new major update to the Downadup network. Symantec engineers caught this update in one of their honeypot (unprotected computers that are directly open to the Internet. They are used by antivirus companies to catch new or known viruses and their testing) and quickly made protection against a new threat. In general, the whole history of this threat is extremely interesting.

Initially, the main task of the worm was to spread, and it successfully spread to a fairly reliable and large botnet, supplemented by a complex code signing mechanism to protect the update mechanism, as well as a reliable P2P (peer to peer) protocol.

Below is a table in which you can see general data on the evolution of this threat:

It is hardly necessary to translate this table completely, so I will write only a few words:

you see that in version C the virus no longer spreads. But he received an improved mechanism for delivering updates via HTTP and P2P, as well as increased protection against detection and treatment. The virus even searches and kills some programs that ensure computer security.

One interesting aspect of W32.Downadup.C is the removal of distribution mode. This coincided with public reports of a decrease in activity on TCP port 445 as of March 5, 2009. A decrease in activity on TCP port 445 is very expected, since W32.Downadup.A and W32.Downadup.B both had aggressive propagation algorithms, but W32.Downadup.C they are not. The Simantek DeepSight Threat Management System observed this decrease in activity (as you can see in chart 1 below).

Chart 1. Decreasing the activity of TCP port 445 requests, possibly due to an upgrade of the Downadup network with W32.Downadup.C.

Another important aspect of W32.Downadup.C is the addition to a reliable update mechanism via P2P .P2P functionality allows authors to send cryptographically signed updates to other computers infected with Downadup. This functionality contains UDP P2P search engine, which sends UDP traffic to the list of generated IP and ports. Chart 2 illustrates all UDP activity for ports greater than 1024 that was detected through the Symantec DeepSight Threat Management System between February 18 and March 3, 2009.

Chart 2. UDP activity for ports greater than 1024 between February 18 and March 3, 2009.

A sharp increase in this traffic was detected on March 4. This coincided with an update to W32.Downadup.C, which was sent to computers infected with W32.Downadup.B. A strong increase in UDP activity indicates that a large number of systems infected with W32.Downadup.B began to perform UDP P2P searches for random IP addresses. This behavior is characteristic of the initial P2P setup of W32.Downadup.C.

Chart 3. UDP activity for ports greater than 1024 between March 4 and March 18, 2009.

Pay attention to the number of IP (that is, to the minimum number of infected computers) - more than 2 million (translator's note)

The main goal of P2P functionality is to allow authors to send signed updates to computers infected with W32.Downadup.C. Essentially, this threat has evolved from an Internet worm (maybe it was a test phase) into a fully functional backdoor \ bot. A P2P network makes the task of destroying the Downadup network very difficult because it does not have a centralized command center that could be closed.
In addition to P2P updates, the auxiliary HTTP update method has also been improved. This method now generates a list of 50,000 domains every day and randomly selects 500 of them, which it checks daily to find and download cryptographically signed updates.

Be that as it may, but there is still no information or a hint of how this network will be used in the future.