Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Self protecting worm makes December debut

BitDefender UK : 16 January, 2009  (Technical Article)
BitDefender warns users to regularly patch and update their operating system and protection software to prevent infection by worm which exploits features of Vista
Win32.Worm.Downadup, a worm which spreads by exploiting a vulnerability in the Windows RPC Server Service, has been detected by BitDefender. The Downloadup worm (also called Conficker or Kido) made its first appearance late November 2008, exploiting the MS08-067 vulnerability to spread unhindered in local area networks. Its purpose was to install rogue security software on infected computers.

In late December, BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware features some enhancements to its characteristics, as well as the distribution routine.

The worm uses USB sticks to infect other computers. It operates by copying itself in a random folder created inside the Recycler directory. This is used by the Recycle Bin to store deleted files, and create an autorun.inf file in the root folder. The worm executes automatically if the Autorun feature is enabled.

Certain TCP functions are also patched to block access to security-related websites by filtering every address that contains certain strings. This makes it harder to remove since information about it is virtually impossible to gather from an infected computer. Additionally, it removes all access rights of the user, except execute and directory usage, to protect its files.

Antivirus detection is avoided by working with rarely used APIs (application programming interface) in order to circumvent Virtualisation technologies. The worm disables Windows updates and certain network traffic, optimising Vista features to ease distribution.

The Win32.Worm.Downadup.B malware comes with a domain name generation algorithm similar to the one found in botnets like Rustock. It composes 250 domains every day and checks some of them for updates or other files to download and install.

Commenting on this new outbreak, head of BitDefender Anti-Malware Labs, Viorel Canja said: "This malware exploits the fact that many people do not patch their systems. With its updated configuration and good protection scheme, this worm could become a rival to already established botnets like Storm or Srizbi."

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo