Downadup Worm Continues to Spread

According to researchers at the SANS Institute, the worm may have been responsible for an
infection at the Vancouver School Board. Network accounts at the organisation were blocked in a way that is synonymous with the worm's method of using dictionary attacks to crack Active Directory passwords.

"The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult," said F-Secure in an update for its customers. "A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked."

Downadup, which can also be distributed on removable media, makes an HTTP server on an infected machine and then uses the RPC exploit to force other machines to download its code within local networks. It is used to install malware downloaders that can then call out to other servers for subsequent installations.

Microsoft gave the Downadup worm an exploitability index rating of one (meaning that consistent exploit code was likely). The exploitability index was created in August as a means of helping customers ascertain the real-world risk to their networks from specific exploits.

The operating system vendor patched the RPC problem that allowed this exploit in October. Clearly, many customers have failed to apply the patch, thus allowing themselves to be infected by the worm (which doesn't require user interaction to propagate). F-Secure provides specific instructions on how to disinfect machines on a local network here.

What’s Hot on Infosecurity Magazine?