Downadup Gathers Steam Amid Vendor Confusion

The US-CERT advisory, issued last Tuesday, concerned Microsoft instructions for disabling the Autorun feature on Windows. "Microsoft's guidelines for disabling Autorun are not fully effective, which could be considered a vulnerability," argued the cyber security team, which is administered by the Department of Homeland Security.

The advisory address Microsoft instructions for changing registry values to disable Autorun. "According to Microsoft, setting the NoDriveTypeAutoRun registry value to 0xFF 'disables Autoplay on all types of drives.' Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer," US-CERT warned. It presented an alternative method for disabling the feature.

Downadup spreads using multiple techniques, but one of its infection vectors is via USB drives, which can be made to automatically install the worm once inserted. Criminals could easily infect a corporate network by simply leaving some USB keys in a company's parking lot or sending a few through the mail and waiting for an individual employee to take the bait. Once on a machine, the malware spreads quickly using an RPC flaw detected and patched by Microsoft last October, if computers on the network have not been updated. The worm continually reinfects machines once installed and is difficult to get rid of.

Microsoft acknowledged the inaccurate instructions in September last year, when it published an article providing links to software updates that correct the problem. However, US-CERT argued that users of Windows 2000, XP, and server 2003 must install the update manually. Only Windows Vista and Server 2008 automatically updated via the Microsoft Update service, it warned.

Security experts were publishing varying estimates off the extent of the Downadup infection last week, and they were all disconcerting. Reports on BBC News on Monday suggested nine million infections, with Shavlik Technologies claiming an infection rate of one million computers each day. "The worm also denies internet access to the websites of many different security vendors," warned the security firm in a statement, adding that it believed the malware also disabled some agent-based patch management systems such as Windows Update: "Attempting to go to your AV security vendor of choice to download detection or removal tools will be blocked by this worm," it said.


What’s Hot on Infosecurity Magazine?