Symantec has released a report on its latest research on the Downadup worm which is cited to be one of the most widespread threats to hit the Internet.
Symantec says the Downadup worm is a complex piece of malicious code that is able to jump certain network hurdles, hide in the shadows of network traffic, and defend itself against attack with a deftness not often seen in today's threat landscape.
According to Symantec, the roots of the worm can be traced back to mid-October last year, when Symantec started to receive reports of targeted attacks taking advantage of an as yet unknown vulnerability in Window's remote procedure call service.
Microsoft quickly released an out-of-band security patch (MS08-067), going as far as to classify the update as critical for some operating systems, the highest designation for a Microsoft Security Bulletin.
The Symantec report says it wasn't until late November that W32.Downadup appeared (also called Conficker). The infection numbers for W32.Downadup steadily began to rise. It took advantage of Universal Plug and Play to pass through routers and gateways. And when the network proved too secure, it used a rather clever AutoPlay trick to get users to execute it from removable drives.
Symantec adds the threat even protected itself from takeover and was able to update itself or receive additional files for execution. However, Symantec notes that infection rates began to decline in mid-February, as news of the threat spread and network administrators that had not applied MS08-067 scrambled to protect their networks.
According to Symantec, all was quiet on the Downadup front, until early March, when W32.Downadup.C began to appear on previously infected Downadup computers. Symantec says this is an update of the worm that it's keeping an eye on. Where previous versions generated a list of 250 daily domains, this one created 50 000.
Related stories:
Symantec simplifies IT management
Symantec fights spam
Speakers reveal top security issues
Endpoint security a must
Share