Scribd Logo
Upload

Welcome to Scribd!

  • Downad Ad

    Uploaded by

    nawazma2030
    177 views4 pages
    WORM_DOWNAD.AD is a worm designed to exploit weak company security policies. It sends exploit packets to every machine on the network, and to several randomly selected targets over the Internet. It then creates an obfuscated autorun.inf file on these drives so that the worm is executed simply by browsing to the network folder or removable drive. If successful, it drops a copy of itself on their system and uses a scheduled task, also known as an at job

    Original Description:

    Original Title

    downad.ad

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    WORM_DOWNAD.AD is a worm designed to exploit weak company security policies. It sends exploit packets to every machine on the network, and to several randomly selected targets over the Internet. It then creates an obfuscated autorun.inf file on these drives so that the worm is executed simply by browsing to the network folder or removable drive. If successful, it drops a copy of itself on their system and uses a scheduled task, also known as an at job

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    177 views4 pages

    Downad Ad

    Uploaded by

    nawazma2030
    WORM_DOWNAD.AD is a worm designed to exploit weak company security policies. It sends exploit packets to every machine on the network, and to several randomly selected targets over the Internet. It then creates an obfuscated autorun.inf file on these drives so that the worm is executed simply by browsing to the network folder or removable drive. If successful, it drops a copy of itself on their system and uses a scheduled task, also known as an at job

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl...

    Page 1 of 4
    Botnet
    
    Exploits
     Hacked Sites
     Malicious Sites
     Malware
     Microsoft
     News
     Pharming
     Phishing
     Security
     Spam
     Vulnerabilities

    Jan16
    Security Policy for Dummies - how to avoid WORM_DOWNAD infection
    by Robert McArdle (Threats Analyst)

    Quite a few security websites and media outlets have reported on the current wave of
    WORM_DOWNAD.AD detections over the last few weeks. And last weekend seemed to be a busy time for the worm infecting a
    considerable number of machines.

    What’s noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected
    machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak company security policies.

    Firstly WORM_DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the
    network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and
    effects just about every version of Windows since Windows 2000.

    For its next trick WORM_DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and
    network drives. Next it creates an obfuscated autorun.inf file on these drives, so that the worm is executed simply by browsing to the
    network folder or removable drive (the user does not need to actually click on the file). A sign for the infection can be sometimes seen in
    Windows Explorer when the removable drives are shown with the folder icon instead of the usual drive icon.

    And then comes the icing on the cake - It first enumerates the available servers on the network and then, using this information, it gathers
    a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more
    details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and
    uses a scheduled task, also known as an AT job, to execute the worm.

    So why is this worm so successful? Simple - poor security policies.

    The first propagation technique is really exploiting poor patch management. A patch for this vulnerability has been available since late
    last year, but still some administrators (or the safety representatives) have not properly rolled this out to all machines on their network.

    Remember even one unpatched machine is enough to have this worm spread through the entire network. Patch management is a critical
    component of any IT department’s job today, and it is vitally important that it is applied in a timely fashion across ALL of the company’s
    machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties
    who access their network (e.g. partner companies, contractors, etc). Like so many aspects of security, it only takes one hole to bring down
    an entire network.

    http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ 2/3/2009
    Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 2 of 4
    Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of
    paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company needs to have the
    ability for all removable drives and network shares to automatically execute code just by viewing them. It is ok I’ll wait until you are
    done…didn’t come up with one, did you? Let me save you the pain of figuring out the next step - How to disable Autorun (more details
    here)

    Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact
    people already have), but to help save your hard earned money during this economic downturn, we’ve kindly made one available as part
    of our Safe Computing Guide. Go have a read. After all it would be nice to not have to explain to your boss that every machine in the
    company is infected because you had picked “123456″ as the default password on all of your machines and shared drives.

    To quote my favourite sportsperson Roy Keane - “Failure to Prepare, Prepare to Fail”.

    Below are some of the previous reports by Trend Micro regarding this incident:

     MS08-067 Vulnerability: Botnets Reloaded


     DOWNAD: Gearing Up For A Botnet
     Security in Recession

    ShareThis

    If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

    This entry was posted on Friday, January 16th, 2009 at 12:14 pm and is filed under Malware, Security . You can leave a response, or trackback from your own site.

    8 Responses to “Security Policy for Dummies - how to avoid WORM_DOWNAD infection”

    1. Stäng av Autoplay | jobbdator.se Says:


    January 17th, 2009 at 6:00 am

    [...] Trend Labs Malware Blog skriver man om ett virus WORM_DOWNAD.AD som är en sk “worm” (blir väl mask på [...]

    2. Trend Blog - Good Corporate Security Policies can prevent Conficker infections - Harry Waldron - Corporate and Home Security
    Says:
    January 19th, 2009 at 1:17 pm

    [...] passwords Trend Blog - Good Corporate Security Policies can prevent Conficker infections
    http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ Only published comments… Jan
    19 2009, 04:15 PM by Harry [...]

    3. security4all (Security4all) Says:


    January 19th, 2009 at 9:48 pm

    Trend blog: Security Policy for Dummies - how to avoid WORM_DOWNAD infection http://bit.ly/CNkBx

    4. scaryBITS » Blog Archive » Wurm: Conficker alias Downadup Says:


    January 20th, 2009 at 6:14 am

    [...] TrendLabs weist auf eine weitere Verbreitungsmethode hin. Nachdem der Wurm in eine Umgebung eingedrungen ist, [...]

    5. New Virus Infects 9 Million computers in a week - Spreads via Internet and USB - Privacy and Identity Theft Says:
    January 20th, 2009 at 10:57 am

    [...] drive, hard drive or CD-ROM. In fact, Autorun worms are some of the fastest spreading threats, with Trend Micro reporting
    over 58 Million computers infected with Autorun worms in [...]

    6. MS08-067 Conficker Mitigation - Resources from Microsoft - Harry Waldron - Corporate and Home Security Says:
    January 20th, 2009 at 3:28 pm

    [...] passwords Trend Blog - Good Corporate Security Policies can prevent Conficker infections
    http://blog.trendmicro.com/security-policy…wnad-infection/ An estimated 33% of users are not up-to-date on security patches, as
    noted in the Computerworld [...]

    7. Conficker, il worm della tempesta perfetta | Sir Arthur's Den Says:


    January 23rd, 2009 at 9:08 am

    http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ 2/3/2009
    Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 3 of 4
    [...] un elemento contro cui si è scagliata la security enterprise Trend Micro che assieme a molte altre ha dedicato e sta dedicando
    ampio spazio al problema. E qui non si parla solo di password inutili ma anche del [...]

    8. Conficker, the perfect storm worm | Sir Arthur's Den Says:


    January 23rd, 2009 at 9:42 am

    [...] an element heavily blamed by the security enterprise Trend Micro that together with many others ha given and continues to
    give full coverage to the problem. And here we aren’t only talking about [...]

    Leave a Reply

    You must be logged in to post a comment.

    Fake Obama News Sites Abound


    Don’t be Fooled by Obama Inauguration Scams

     Recent Posts
     Google Video Searches Being Poisoned
     Embassy Site Attack Reveals Other Compromised Sites
     Just Got Unlucky: Part 3
     WALEDAC Loves (to Spam) You!
     Mali Goverment Site Compromised, Used for Phishing
     Subscribe by email

    Enter your email address:

    nawazma@saptco.com.sa

    Subscribe

     Calendar
    February 2009
    M T W T F S S
    1
    2 3 4 5 6 7 8
    9 10 11 12 13 14 15
    16 17 18 19 20 21 22
    23 24 25 26 27 28
    « Jan
     Blogroll
     Digg / Security
     Google Online Security Blog
     Internet Security Zone Blog
     Malware Help.org
     Newsvine: Malware
     SANS Internet Storm Center
     Secunia - Security Watchdog
     STAT Blog
     StopBadware.org: Blog
     Sunbelt Blog
     Threat Level
     Washington Post Security Fix
     Websense Security Labs Blog
     Links
    http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ 2/3/2009
    Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 4 of 4
     .TrendWatch.
     Free Online Virus Scan
     Global Malware Map
     Hijack This™
     Rootkit Buster
     RUBotted?
     Submit Suspicious files
     Trend Micro
     Web Protection Add-On
     Recently Tweeted
     Google Video Searches Being Poisoned (1)
     New Year Ushers in New Waves of Hacktivism (2)
     Embassy Site Attack Reveals Other Compromised Sites (2)
     Mac Trojan Hidden Beneath Pirated iWork '09 (6)
     Fake Brazilian Government Site Leads to Info-Stealers (2)
     TwitterCounter

    TrendWatch Hijack This Web Protection Add-On


    Free Online Virus Scan Rootkit Buster Submit Suspicious Files
    Global Malware Map RUBotted? Trend Micro

    © Copyright 2009 Trend Micro Inc. All rights reserved. Legal


    Notice

    http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ 2/3/2009

    You might also like