W32.downadup: old-school network worm
Posted on | January 12, 2009 | add a comment
Symantec is reporting more than 3 million Windows PCs have been infected by the self-propagating “Downadup” worm. This Symantec graphic shows infections densely saturated in the USA, Brazil, and especially India.
This is an old school worm folks. It’s on auto pilot in the wild, searching out Windows PCs unpatched for the latest RPC-DCOM security hole. Ironically, home PC users are much better protected by Windows Auto Update, than corporate PC users, who tend to be left out to dry by the methodical testing needed to make sure patches don’t break their companies’ mission critical applications.
While home users get patched as soon as Microsoft issues a security patch, a large percentage of corporate PCs remain unpatched; the bad guys know this and have adjusted accordingly, says Alfred Huger, vice president of engineering at Symantec Security Response.
The latest version of Downadup sniffs out weak network passwords; and it also automatically infects any thumb drives connected to an infected PC. Subsequent use of that thumb drive on any other PC is like kissing someone with mono.
“It’s a return to the days of yore,” says Huger, vice president of engineering at Symantec Security Response, describing how Downandup propagates with no action required by the victim on just about any Internet-connected — and unpatched — Windows PC.  “We haven’t seen many network-based worms since the big breakout” of 2002 – 2004.
