Teaching old worms new tricks

March 2009 Information Security

Win32.Worm.Downadup uses new tricks to spread itself without being easily detected.

Win32.Worm.Downadup, a worm which spreads by exploiting a vulnerability in the Windows RPC Server Service, has been detected by BitDefender. The Downloadup worm (also called Conficker or Kido) is nothing new. It made its first appearance late November 2008, exploiting the MS08-067 vulnerability to spread unhindered in local area networks. Its purpose was to install rogue security software on infected computers.

In late December, BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware comes with a list of new features, aside from the present spreading routine, which has also shown signs of improvement.

The worm now uses USB sticks to spread. By copying itself in a random folder created inside the RECYCLER directory, used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder of the infected drive, the worm automatically executes if the infected computer’s Autorun feature is enabled.

The worm also patched certain TCP functions to block access to security-related websites by filtering every address that contains certain strings. This makes it harder to remove since information about it is nearly impossible to gather from an infected computer. Additionally, it removes all access rights of the user, except execute and directory usage, to protect its files.

The worm is also built to avoid antivirus detection by working with rarely used APIs in order to circumvent virtualisation technologies. It disables Windows updates and certain network traffic, optimising Vista features to ease its spreading.

Win32.Worm.Downadup.B comes with a domain name generation algorithm similar to the one found in botnets like Rustock. It composes 250 domains every day and checks some of them for updates or other files to download and install.

Having a state-of-the-art update system, a good protection scheme and many people that do not patch their systems, this worm has great potential to become a rival to already established botnets like Storm or Srizbi.

For more technical details please visit the Malwarecity Blog at: http://www.malwarecity.com/blog.html and the BitDefender description: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html

Facebook users, beware of the fake hubs!

BitDefender researchers have detected an IM-based spam wave automatically sent to accounts which promises a hot date if the Facebook’s users access the typosquatted link.

Users should pay extremely close attention to details, such as Websites names and avoid following links received in e-mail or IM spam. Failing to do so might result in stolen log-in credentials. Phishers could exploit them to harvest e-mail addresses, retrieve other contact details stored in accounts or post spam messages or malware disguised behind banner advertising.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...
Phishing attacks through SVG image files
Kaspersky News & Events Information Security
Kaspersky has detected a new trend: attackers are distributing phishing emails to individual and corporate users with attachments in SVG (Scalable Vector Graphics) files, a format commonly used for storing images.

Read more...
Crypto in SA: between progress and precaution
Information Security
“As cryptocurrency gains momentum and legitimacy, it’s becoming increasingly important for people to pay attention to financial security”, says Richard Frost, head of technology and innovation at Armata Cyber Security.

Read more...
Cyber recovery requires a different approach to disaster recovery
Information Security
Disaster recovery is about getting operations back on track after unexpected disruptions; cyber recovery, however, is about calculated actions by bad actors aiming to disrupt your business, steal sensitive data, or hold your system hostage.

Read more...
MDR users claim 97,5% less
Sophos Information Security
The average cyber insurance claim following a significant cyberattack is just $75 000 for MDR users, compared with $3 million for endpoint-only users, according to a new independent study.

Read more...
The impact of GenAI on cybersecurity
Sophos News & Events Information Security
Sophos survey finds that 89% of IT leaders worry GenAI flaws could negatively impact their organisation’s cybersecurity strategies, with 87% of respondents stating they were concerned about a resulting lack of cybersecurity accountability.

Read more...
Efficient, future-proof estate security and management
Technews Publishing ElementC Solutions Duxbury Networking Fang Fences & Guards Secutel Technologies OneSpace Technologies DeepAlert SMART Security Solutions Editor's Choice Information Security Security Services & Risk Management Residential Estate (Industry) AI & Data Analytics IoT & Automation
In February this year, SMART Security Solutions travelled to Cape Town to experience the unbelievable experience of a city where potholes are fixed, and traffic lights work; and to host the Cape Town SMART Estate Security Conference 2025.

Read more...
Kaspersky KATA 7.0 for targeted attack protection
Information Security Products & Solutions
] Kaspersky has announced a major update to its Kaspersky Anti Targeted Attack (KATA) including enhanced network detection and response (NDR) capabilities with deeper network visibility, internal threats detection and other critical security features.

Read more...
The role of advanced technologies in ransomware recovery
Information Security
As businesses increasingly adopt cloud technologies, the complexities of maintaining resilience and ensuring rapid recovery from such incidents become even more pronounced. The integration of advanced technologies is essential to navigate these challenges effectively.

Read more...