We covered the release of Downadup (also known as Conticker), last week. The worm, which takes advantage of the MS08-067 vulnerability, attacks Windows machines through port 445 and takes advantage of an RPC flaw. An infected machine sets up an HTTP server used to download the worm to other machines.
Ivan Macalintal, researcher at Trend Micro Advanced Threats, explained that the success of the infection mechanism invoked the bad old days of network worms that spread dramatically and infected machines en masse. The last worm to achieve significant success in this way was Zotob, which spread widely in late 2005. Subsequently, malware infection vectors switched to web applications and the use of 'drive-by downloads'.
"We should not be too complacent about these old mechanisms of malware infection being used again," he added, emphasising the importance of applying security patches. Microsoft released a patch for the flaw a month ago, but many have not applied it, or failed to restart machines that downloaded it.
There is also evidence that the malware (which Trend Micro identifies as WORM_DOWNAD.A) is designed to check back in for future downloads at set times in the future. "The worm generates a randomised version of itself and it has the ability to generate future domains according to the date and time," said Macalintal. This would make it easier for infected machines to contact command and control servers and download more malware, even if the botnet's controllers were taken offline temporarily as occurred with alleged botnet operator McColo recently. "This is a plan that was laid out before they put the code in the wild," Macalintal concluded.