12:14 pm (UTC-7) | by Robert McArdle (Senior Threat Researcher)
Quite a few security websites and media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. And last weekend seemed to be a busy time for the worm infecting a considerable number of machines.
What’s noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques – a 3 pronged attack designed to exploit weak company security policies.
Firstly WORM_DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000.
For its next trick WORM_DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated autorun.inf file on these drives, so that the worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file). A sign for the infection can be sometimes seen in Windows Explorer when the removable drives are shown with the folder icon instead of the usual drive icon.
And then comes the icing on the cake – It first enumerates the available servers on the network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm.
So why is this worm so successful? Simple – poor security policies.
The first propagation technique is really exploiting poor patch management. A patch for this vulnerability has been available since late last year, but still some administrators (or the safety representatives) have not properly rolled this out to all machines on their network.
Remember even one unpatched machine is enough to have this worm spread through the entire network. Patch management is a critical component of any IT department’s job today, and it is vitally important that it is applied in a timely fashion across ALL of the company’s machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. partner companies, contractors, etc). Like so many aspects of security, it only takes one hole to bring down an entire network.
Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok – now in 30 seconds try to write down a single reason why your company needs to have the ability for all removable drives and network shares to automatically execute code just by viewing them. It is ok I’ll wait until you are done…didn’t come up with one, did you? Let me save you the pain of figuring out the next step – How to disable Autorun (more details here)
Lastly we have the old classic – using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we’ve kindly made one available as part of our Safe Computing Guide. Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked “123456” as the default password on all of your machines and shared drives.
To quote my favourite sportsperson Roy Keane – “Failure to Prepare, Prepare to Fail”.
Below are some of the previous reports by Trend Micro regarding this incident:
Share this article