Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl...

Page 1 of 4
Botnet Exploits Hacked Sites Malicious Sites Malware Microsoft News Pharming Phishing Security Spam Vulnerabilities

Jan16 Security Policy for Dummies - how to avoid WORM_DOWNAD infection
by Robert McArdle (Threats Analyst)

Quite a few security websites and media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. And last weekend seemed to be a busy time for the worm infecting a considerable number of machines. What’s noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak company security policies. Firstly WORM_DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000. For its next trick WORM_DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated autorun.inf file on these drives, so that the worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file). A sign for the infection can be sometimes seen in Windows Explorer when the removable drives are shown with the folder icon instead of the usual drive icon. And then comes the icing on the cake - It first enumerates the available servers on the network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm. So why is this worm so successful? Simple - poor security policies. The first propagation technique is really exploiting poor patch management. A patch for this vulnerability has been available since late last year, but still some administrators (or the safety representatives) have not properly rolled this out to all machines on their network. Remember even one unpatched machine is enough to have this worm spread through the entire network. Patch management is a critical component of any IT department’s job today, and it is vitally important that it is applied in a timely fashion across ALL of the company’s machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. partner companies, contractors, etc). Like so many aspects of security, it only takes one hole to bring down an entire network.

http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/

2/3/2009

Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 2 of 4
Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company needs to have the ability for all removable drives and network shares to automatically execute code just by viewing them. It is ok I’ll wait until you are done…didn’t come up with one, did you? Let me save you the pain of figuring out the next step - How to disable Autorun (more details here) Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we’ve kindly made one available as part of our Safe Computing Guide. Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked “123456″ as the default password on all of your machines and shared drives. To quote my favourite sportsperson Roy Keane - “Failure to Prepare, Prepare to Fail”. Below are some of the previous reports by Trend Micro regarding this incident: MS08-067 Vulnerability: Botnets Reloaded DOWNAD: Gearing Up For A Botnet Security in Recession ShareThis If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

This entry was posted on Friday, January 16th, 2009 at 12:14 pm and is filed under Malware, Security . You can leave a response, or trackback from your own site.

8 Responses to “Security Policy for Dummies - how to avoid WORM_DOWNAD infection”
1. Stäng av Autoplay | jobbdator.se Says:
January 17th, 2009 at 6:00 am

[...] Trend Labs Malware Blog skriver man om ett virus WORM_DOWNAD.AD som är en sk “worm” (blir väl mask på [...] 2. Trend Blog - Good Corporate Security Policies can prevent Conficker infections - Harry Waldron - Corporate and Home Security Says:
January 19th, 2009 at 1:17 pm

[...] passwords Trend Blog - Good Corporate Security Policies can prevent Conficker infections http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ Only published comments… Jan 19 2009, 04:15 PM by Harry [...] 3. security4all (Security4all) Says:
January 19th, 2009 at 9:48 pm

Trend blog: Security Policy for Dummies - how to avoid WORM_DOWNAD infection http://bit.ly/CNkBx 4. scaryBITS » Blog Archive » Wurm: Conficker alias Downadup Says:
January 20th, 2009 at 6:14 am

[...] TrendLabs weist auf eine weitere Verbreitungsmethode hin. Nachdem der Wurm in eine Umgebung eingedrungen ist, [...] 5. New Virus Infects 9 Million computers in a week - Spreads via Internet and USB - Privacy and Identity Theft Says:
January 20th, 2009 at 10:57 am

[...] drive, hard drive or CD-ROM. In fact, Autorun worms are some of the fastest spreading threats, with Trend Micro reporting over 58 Million computers infected with Autorun worms in [...] 6. MS08-067 Conficker Mitigation - Resources from Microsoft - Harry Waldron - Corporate and Home Security Says:
January 20th, 2009 at 3:28 pm

[...] passwords Trend Blog - Good Corporate Security Policies can prevent Conficker infections http://blog.trendmicro.com/security-policy…wnad-infection/ An estimated 33% of users are not up-to-date on security patches, as noted in the Computerworld [...] 7. Conficker, il worm della tempesta perfetta | Sir Arthur's Den Says:
January 23rd, 2009 at 9:08 am

http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/

2/3/2009

Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 3 of 4
[...] un elemento contro cui si è scagliata la security enterprise Trend Micro che assieme a molte altre ha dedicato e sta dedicando ampio spazio al problema. E qui non si parla solo di password inutili ma anche del [...] 8. Conficker, the perfect storm worm | Sir Arthur's Den Says:
January 23rd, 2009 at 9:42 am

[...] an element heavily blamed by the security enterprise Trend Micro that together with many others ha given and continues to give full coverage to the problem. And here we aren’t only talking about [...]

Leave a Reply
You must be logged in to post a comment. Fake Obama News Sites Abound Don’t be Fooled by Obama Inauguration Scams

Recent Posts
Google Video Searches Being Poisoned Embassy Site Attack Reveals Other Compromised Sites Just Got Unlucky: Part 3 WALEDAC Loves (to Spam) You! Mali Goverment Site Compromised, Used for Phishing

Subscribe by email
Enter your email address:
nawazma@saptco.com.sa Subscribe

Calendar
February 2009 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 « Jan

Blogroll
Digg / Security Google Online Security Blog Internet Security Zone Blog Malware Help.org Newsvine: Malware SANS Internet Storm Center Secunia - Security Watchdog STAT Blog StopBadware.org: Blog Sunbelt Blog Threat Level Washington Post Security Fix Websense Security Labs Blog

Links
http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/ 2/3/2009

Security Policy for Dummies - how to avoid WORM_DOWNAD infection | TrendLabs | Malware Bl... Page 4 of 4
.TrendWatch. Free Online Virus Scan Global Malware Map Hijack This™ Rootkit Buster RUBotted? Submit Suspicious files Trend Micro Web Protection Add-On

Recently Tweeted
Google Video Searches Being Poisoned (1) New Year Ushers in New Waves of Hacktivism (2) Embassy Site Attack Reveals Other Compromised Sites (2) Mac Trojan Hidden Beneath Pirated iWork '09 (6) Fake Brazilian Government Site Leads to Info-Stealers (2)

TwitterCounter

TrendWatch Free Online Virus Scan Global Malware Map

Hijack This Web Protection Add-On Rootkit Buster Submit Suspicious Files RUBotted? Trend Micro

© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice

http://blog.trendmicro.com/security-policy-for-dummies-how-to-avoid-worm_downad-infection/

2/3/2009

Sign up to vote on this title
UsefulNot useful