NEWS FROM THE LAB - January 2009


Saturday, January 31, 2009

Google is Broken Posted by Mikko @ 15:15 GMT

Right now, Google does not work.

Results for any search will be labeled as "This site may harm your computer".

In which case, Google won't allow you to access any of the search results via links as they're using info from to warn people away from harmful sites.

Google Broken

We don't remember such big worldwide outage of Google since a variant of Mydoom caused an indirect DDoS on it in 2004.

Oh well.

Back to Alta Vista?

Updated to add: Google came back to life 15:26 GMT.
Updated to add: The StopBadware Blog has some additional information.
Updated to add: And here's Google's blog post.


Friday, January 30, 2009

Our Blog is 5IVE Years Old, Happy Birthday to You! Posted by Response @ 12:57 GMT

This blog's first entry was posted five years ago, January 30, 2004:

Our first post

Ours was the first antivirus blog in the industry and many others have since followed our lead.

The members of the Security Lab have always been early adopters of technology, and blogging has proved itself to be an important connection to our customers, partners, and to the security community at large. Thank you for reading and participating.

So, it's OUR "birthday", but it's YOU that can receive a present. How about some of our laptop stickers?

The first 100 people to leave us a comment here will get a set. Cheers.


Preemptive Downadup Blocklist for February Posted by Sean @ 10:33 GMT

Blog reader iautran requested us to post a new Downadup preemptive blocklist.

Thank you for the reminder sir, it's been a busy month…

Toni has generated a new list of potential domains for the month of February. The list reflects what we think to be the most common variant of Downadup in-the-wild. Click the image below to view the list.

Downadup Domain Blocklist Feb. 2009


Thursday, January 29, 2009

Remotely Exploitable Hole in Bluetooth Posted by Jarno @ 14:43 GMT

Alberto Moreno Tablado has found an interesting vulnerability in the Windows Mobile 6 OBEX FTP service, in the Microsoft Bluetooth stack. It's used by devices such as the HTC TyTn II and other similar smartphones. Devices that use other Widcomm or other non-Microsoft Bluetooth stacks are not affected.

The vulnerability is a classical path traversal vulnerability, which means that an attacker can send path information along with the file name to the Windows Mobile device, and thus cause the file to be copied anywhere in device file system.

In theory this might be really serious vulnerability, as attacker could copy something to a location where the application would automatically start at next boot. But in practice, the vulnerability is of limited use for an attacker as it would require the victim to pair his phone, before OBEX FTP can be used. So this vulnerability has quite low exploitability.

The same basic caution that protects against other Bluetooth attacks also protects from this one.

Do not form Bluetooth pairs with devices that you do not fully trust. And if you are not using Bluetooth file sharing, do disable it from the Bluetooth FTP settings in Bluetooth connection settings.

Windows Mobile Bluetooth FTP

Note: Our thanks goes to Dawid M. for directing us to Tablado's research.


Wednesday, January 28, 2009

Do Android Phones Dream of Electric Sheep? Posted by Response @ 15:38 GMT

Android logoWe've been following news during the past few days regarding a possible rogue Android application, available in the Android market.

A number of forum discussions were focusing on an application called MemoryUp which is produced by eMobiStudio ( There were reports of Android phones deleting information, sending spam to contact lists, and installing adware. All of this was supposedly done to the phone without permission by MemoryUp.

We did a bit of digging into the issue but couldn't verify any of the claims made about MemoryUp's maliciousness. We studied a couple of the versions that are readily available and none of them attempted to break anything on the Android platform nor did they attempt to do things other than what the application promises to do.

Google has investigated, and their spokeswoman stated: "In the versions we tested, MemoryUp cannot perform any of the malicious things it is reported to have done."

See Wired: Android App No Malware, Says Google

We agree with Google. There's nothing malicious about MemoryUp.

If you think you're one of those that has actually seen the application misbehave, please send us a comment.

Google Adroid

Additional links:
Android app destroying G1 users' memory?
Rogue Android App Allegedly Destroying G1 Memory, Installing Adware
MemoryUp wreaks havoc on Android phones


Tuesday, January 27, 2009

Is it Time for Internetpol? Posted by Response @ 20:49 GMT

Our recent sinkhole research on Downadup has generated some debate in our Comments.

Some readers are asking why we don't take it upon ourselves to disinfect the worms that visit our sinkholes.

Toni has provided a good answer to that question.Interpol

Putting it briefly, we are not the law, and as a publicly traded company bound by laws, we simply cannot act as vigilantes.

Why? Well, a few of the infected IP addresses that we have logged are registered to an army (or two), a navy, and few governments. We are certain that unauthorized use will most definitely not be appreciated.

However, we do NOT sit idly by.

Each and every day we collect data from our analysis and forward it to relevant law enforcement authorities, ISPs, partners, various CERTs, et cetera.

They are the ones that have the legal authority to take action within their territories.

Still — it seems that people want a champion that can make big command decisions. Perhaps it would be a good time to bring up the idea of Internetpol again? Mikko briefly mentioned it on December 12th, it was the topic of his AVAR 2008 keynote. The idea was also mentioned in our third quarter security summary.

Do you want an organization with international legal authority to act against Internet threats?

You do? Then perhaps it's time for some kind of Internetpol…


Friday, January 23, 2009

Where is Downadup? Posted by Sean @ 17:34 GMT

Downadup infections appear to have peaked during the week.

As time passes, the number of estimated Downadup infections becomes more problematic to calculate as we are monitoring a varying number of domains. Re-infections may also be inflating the count. In any case, today seems better than the day before and we think that growth of Downadup has been curbed. Disinfection of the worm remains a challenge.

So let's look at Thursday's IP count, where are the infected computers?

Our sinkhole logged just over one million unique IP addresses yesterday. This is compared to 350,000 last Friday. Remember, there may be any number of computers sitting behind a single IP address.

China, Russia, and Brazil have the highest IP count. Combined, they account for nearly 41 percent of the total.

Only a bit over 1 percent came from the United States…

Here's the breakdown by country:

Number of IPsRegistered Country of the IP
1723Hong Kong
1803Czech Republic
1906Sri Lanka
3127Bosnia and Herzegovina
4423Saudi Arabia
5763Republic of Macedonia
7857United Kingdom
11779United States (1.17%)
39731South Korea
120197Brazil (11.9%)
139934Russia (13.9%)
152016China (15.1%)


Tuesday, January 20, 2009

ISTP and F-Downadup Removal Tool Posted by Response @ 15:14 GMT

Our F-Downadup Removal Tool was updated on the 19th.

If you are working to disinfect the Downadup worm from your network, check that you have the most recent version of F-Downadup. You can compare the modification dates from our FTP server.

Our Worm:W32/Downadup.gen description is a good index of Downadup info.

Links have been added recently, such as one to Microsoft's Knowledge Base Article 962007. The KB article include numerous details on manual disinfection. The Microsoft MSRT application was updated to scan for Downadup (alias Conficker) this month.

One important note: Downadup disables Automatic Updates, so updated versions of MSRT will need to be downloaded manually, it will not be automatically installed on infected machines.

The team members developing F-Downadup have also updated our scanning and removal engines. Internet Security 2009 and Client Security 8 (among others) utilize updateable engine architecture.

…and that brings us to:

Internet Security Technology Preview

Tomi, from our Customer Involvement Team, would like to point out that the latest version of ISTP (9.10 build 129) was released on January 14th. ISTP receives signature and engine updates from our beta update channel. So, the ISTP engine architecture will use our latest removal engine, which was released to beta today.

If you would like to try ISTP, you'll find more information from here. ISTP feedback enrolls users into prize giveaways.

We recently received another batch of our very popular laptop stickers, so as a bonus, we'll pass along a stack to Tomi.

Updated to add January 21st:

Yesterday we mentioned that the latest version of our removal engine was released to our beta update channel.

There is also a beta channel update of our scanning engine planned for tomorrow (the 22nd). Those testing previous builds of ISTP will also receive this updated scanning engine.

There are a number of improved features that have been implemented and we look forward to the feedback.

F-Downadup Note: Computers infected by Downadup are blocked from reaching websites.

Our FTP server can also be reached from: and


Obama's Inaugural DDoS Event Scheduled for 11:30 EST Posted by Sean @ 12:45 GMT

What is a Distributed Denial of Service (DDoS) event?

It is different than a DDoS "attack". Some, such as Arbor Networks, have dubbed it "The Tiger Effect".

June 2008's U.S. Open Golf Championship 19-hole playoff resulted in massive traffic spikes from those seeking real-time scores and streaming video feeds.

DDoS events are a massive focus of interest that sometimes take place on the Internet. They are something that greatly exceeds normal demand, and the result is a Denial of Service effect. Web servers just can't meet demand when focus points occur and the timing is not so easily predicted.

And even though DDoS events lack malicious intent, the results can often be just as painful as an attack…

Here's a recent example from two weeks ago:
Shepard Fairey's Obama Poster
   North Carolina's unemployment rate is at its highest level in 25 years, and a deluge
   of out-of-work people has strained the state's jobless systems to the breaking point.
   State [websites] have crashed twice in the past month as people apply or renew
   their employment benefits.

Listen to the full story at NPR.

That brings us to today and Barack Obama's Inauguration as the President of the USA.

We expect that The Obama Effect may well dwarf that of Tiger Woods. Worldwide interest in Obama's inauguration is very high and live streaming Web video is more readily available than ever before.

There will be very interesting data produced today. And this time researchers should be ready to observe the effect.

US Mobile operators are also preparing for today's demand on their Washington D.C. networks.

Updated to add on January 22nd:

There was a peak in video traffic and a big dip in searches during the inauguration.

Arbor Networks — The Great Obama Traffic Flood
Google — Search Findings from the U.S. Presidential Inauguration


Monday, January 19, 2009

Social Engineering Autoplay and Windows 7 Posted by Sean @ 16:44 GMT

The Downadup worm utilizes autorun.inf files to spread via removable devices such as USB drives.

Our January 7th post, When is AUTORUN.INF really an AUTORUN.INF?, provided analysis. The autorun.inf uses some tricks, such as variable size, to help avoid detection.

Bojan Zdrnja at SANS Internet Storm Center recently posted some additional analysis: Downadup attempts a social engineering trick in Windows Vista.

Downadup's autorun.inf file uses an action keyword and icon extracted from shell32.dll to produce the following:

Windows Vista, Open folder to view files

The category is "Install or run program" but the text and icon are for "Open folder to view files".

The first option will run Downadup, not good. The second "general" option is the choice that will safely open the USB drive.

Being curious, we tried this autorun.inf with Windows 7:

Windows 7, Downadup Autorun.inf

And the results for Windows 7 were the same as Vista's:

Windows 7, Open Folder to View Files

Downadup attempts to disguise the installation option as an open folder action.

We would utilize Windows 7's "Send Feedback" link, but the lab's Windows 7 system is not connected to the Internet. It's being used to test our Client Security 8 application. Client Security 8 (Internet Security 2009, and some other recent releases) can generically detect Downadup's autorun file as Worm:W32/Downaduprun.A.



Saturday, January 17, 2009

Watch Out for Fake Obama Sites Posted by Mikko @ 10:08 GMT

In the middle of all the Downadup-related activity (see below), we're seeing spam runs trying to cash in with the inauguration of Barack Obama next week.

Mails like this have been spammed around the world:

Super Obama Message

If you follow the link (not recommended), you get to a site like this:

Super Obama

All the links point to a file called speech.exe, which is a Waledec malware variant.

The site is hosted via fast fluxing all over the world.

Super Obama

There's plenty of different domains, too. We've seen at least:

   store.greatobamaguide .com
   store.superobamadirect .com
   www.greatobamaguide .com
   www.greatobamaonline .com
   www.superobamaonline .com


Friday, January 16, 2009

Calculating the Size of the Downadup Outbreak Posted by Toni @ 13:59 GMT

The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.

We've received a number of queries on just how exactly we're producing our estimates.

There's been interest from Internet operators, CERTs, and fellow antivirus researchers.

There's also been several posts to our blog comments, doubting our numbers. Here's some sample quotes:
   Kitschen: Yeah right! As if you could "estimate" infection
   to a precision of 10 machines. This is just PR.
   Your "special techniques" are at best able to estimate 100000.

   wastedimage: This number looks like total guesswork.
   How did you go from ~100k ip's to 2.4 million boxes?
   I realize *some* might be nat but how many ?
   Did you just assume each ip really was some arbitrary number
   of vulnerable machines or something?
   Spreading FUD like this is incredibly unprofessional.

   wastedimage: So your trusting the counter built into the bot itself
   which may be rigged to indicate larger numbers to entice spammers
   to pay more for its use. Sure that sounds like a solid plan.

So let us explain how we are generating the numbers.

There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them.

This is what the connections look like:

Downaup logs

As you can see, this is a standard httpd log showing the IP address of the machines connecting our domains, the time stamp (the queries in the above image all come on the same second: 18:16:05 yesterday), actual query ("GET /search?q=29 HTTP/1.0"), and the User-Agent of the machine.

These are the raw connections coming to our sinkhole systems. Millions of them every day. When we sort these connections by source, we see hundreds of thousands of unique IP addresses every day (over 350,000 today).

It's hard to tell the real number of infections since NAT boxes and proxies tend to spoil the fun and Downadup doesn't include a unique identifier within the User-Agent string for us to see.

We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents.

So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully.

So this number tells us how many other computers this machine has exploited since it was last restarted. In the above log you can see one of the machines has exploited 116 computers.

Do bear in mind that this number only shows how many machines got infected via the MS08-067 exploit. Downadup spreads at least as much via network shares and USB sticks.

We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative.

And they are showing more than 8 million infected machines right now.

The situation with Downadup is not getting better. It's getting worse.


Preemptive Blocklist and More Downadup Numbers Posted by Sean @ 12:08 GMT

We have an update on the number of infected computers.

Today's calculation is a total of 8,976,038 infections worldwide and 353,495 unique IP addresses.

That's a quite a big difference compared to our last number — there will be a follow up post coming soon to explain the methodology.

Our post last Monday provided a preemptive Downadup domain blocklist.

A new list of potential domains for January 17th to the 31st is now available. Click the image below to view the list.

Downadup Domain Blocklist 17th to 31st


Thursday, January 15, 2009

Hilton (not the hotel) Compromised Posted by Sean @ 14:50 GMT

We've been reading reports regarding the compromise of Paris Hilton, err…

A malicious IFrame was inserted on the site sometime last week. The IFrame content directed visitors to install "updated" software. Remember, if you must update an application to take advantage of a new feature, it's always advisable to go directly to the vendor's website in order to install it. (Most of our regular readers already know this of course.)

The offending IFrame appears to have been removed at this time. You can read more about the compromise here and/or here.

The infection of "Paris Hilton" highlights a popular trend among online attackers. Hacking a (trusted) name worthy site can yield many new victims. It's worth the investment of time. So there really is no such thing as a trusted site 100% of the time.

Would you like to spend the night at the Paris Hilton?

Paris Hilton, Paris


Wednesday, January 14, 2009

More Than One Million New Infections Posted by Sean @ 14:33 GMT

Our previous post calculated the worldwide Downadup infection count at approximatively 2.4 million computers.

Toni Koivunen from our Response Team has once again used his special techniques to update his previous results.

Today's total infection count is an estimated 3,521,230 infections worldwide.

That's over one million new infections since yesterday (and we still consider this to be a conservative estimate).


Tuesday, January 13, 2009

How Big is Downadup? Very Big. Posted by Mikko @ 11:21 GMT

Downadup worms attempt to call home.

They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.

They could build a large botnet for example. The framework is in place.

Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.

Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as and With this algorithm, the worm generates many possible domain names every day.

Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.

This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.

But we can play this game as well.

So we've determined the possible domains and have registered some of them for ourselves.

Which means the infected machines will also connect to us.

We could attempt to manipulate the infected machines. But of course we won't. In fact, we won't be doing anything at all to them – not even disinfect them – as that could be seen as "unauthorized use". That is illegal, at least in many jurisdictions. (Doing something without being asked is also a very large ethical question…) Look but don't touch is the golden rule.

But this looking and listening does gain us a unique visibility inside and we can see just how large the number of infected machines is.

Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered.

A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.

Toni Koivunen from our Response Team has used some additional tricks to come up with an estimate on just how many infected machines there really are.

Toni's final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher.

It would make for one big badass botnet.

And where in the world are these infections? We're glad you asked. We resolved the IPs to countries and here are the results.

Number of IPsRegistered country of the IP
3,958United States
2,518Europe (resolved to EU)
1,789United Kingdom
1,544Saudi Arabia

These are the raw unique IPs; you could think of this as China having 38,277 infected companies, not persons.

Monday, January 12, 2009

Preemptive Downadup Domain Blocklist, Jan. 13-16 Posted by Sean @ 15:06 GMT

Downadup variants use algorithmically determined URLs to report back to the bad guys.

Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future.

Today's preemptive blocklist includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th.

Network administrators can use this list as a preventive measure.

Click the image below to view the list:

Downadup Domain Blocklist for January 13-16


Friday, January 9, 2009

Downadup Blocklist Posted by Sean @ 14:41 GMT

Our post on Tuesday included a list of domains used by the Downadup worm.

Today's list includes 1,500 additional sites used by the worm. Click the image below to view the list:

Downadup Domain Blocklist


Thursday, January 8, 2009

MS08-067 Worm, Downadup/Conflicker Posted by Sean @ 19:49 GMT

Tuesday's post refers to Downadup/Conflicker as an MS08-067 worm variant. What do we mean by that?

Downadup and other such similar worms exploit a vulnerability in the Windows Server service.

Server Service Vulnerability — CVE-2008-4250.

The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067.

There are a few important notes to be made about this particular Security Bulletin…

First — It was an out-of-band update.

MS08-067 Oct23 Out-of-Band

Second — It was given an "Exploitability Index Assessment" of "1 – Consistent exploit code likely".

That kind of speaks for itself, doesn't it?

Third — It allows for Remote Code Execution, in numerous versions of Windows (particularly critical for 2000, XP, and Server 2003).

MS08-067 Remote Code Execution

All of these combined factors equals something quite serious that should be patched as soon as possible. If you are having difficulties with Automatic Updates, the bulletin links to manual downloads.

Security Update for Windows XP
Security Update for Windows Server 2003

It's always a good idea to be ready for out-of-band updates. You can subscribe to Microsoft Security Notifications here.

Downadup has "old school" worm functionality (no user interaction required), the likes of which we haven't really seen for a while now. It also knows some current tricks; it's a worm that spreads via the Internet, local area networks, and removable media. While it doesn't seem to be gaining very much traction on the Internet, it's rapidly spreading once it's inside of local area networks that aren't patched.

If you're a network administrator, a proactive scan for vulnerable machines may be well worth your time.

Make sure that your antivirus software is up-to-date and disable Autoplay *and* Autorun functionality if possible. Downadup spreads itself via Network Shares and Removable Storage Devices such as USB memory. Downadup also attempts to brute-force account passwords so make sure that your administrator accounts are secure and use strict passwords.

Alright, that covers preventionwhat about those of you that have infected computers within your networks?

Remember, Downadup is a network worm.

You must clean all of the computers within your network or else you risk reinfections. Servers first, then workstations. Disinfect, then use the manual Microsoft update to patch, then manually update your antivirus, and then do a full system scan for all files.

Downadup uses random extensions for some of its components so you'll need to scan all file types on the system once you have disinfected.

If you use one of our Anti-Virus products, you can download our manual updates from here.

We have a disinfection tool that may assist in your efforts. It can be download from here. It's a command line utility and you should carefully review the included readme.txt file.

Updated Note: Downadup disables connectivity to a large number of security sites, update channels, as well as Microsoft Updates. You should confirm that these connections are reestablished once the computer is clean.

Our Downadup.AL description provides additional details.


Wednesday, January 7, 2009

When is AUTORUN.INF really an AUTORUN.INF? Posted by Mikko @ 12:52 GMT

In addition to everything else, Downadup is also a USB worm.

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer).

Removable USB Drive

Such malicious AUTORUN.INF files are easy to spot. Here's what they typically look like:

Typical Autorun.INF

But Downadup does not create files such as this. What it drops on USB drives are AUTORUN.INF files that look like this:

Downadup Autorun.INF

So, that's binary garbage. Won't work. Right?

Look closer.

Downadup Autorun.INF

The noteworthy text is found somewhere around the middle of this 90kB file. At the bottom of the screenshot. See it?

Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

…which would execute a DLL called jwgvsq.vmx from a hidden folder on the USB drive.

The rest of the binary junk are comments and will be ignored by Windows. And of course, the file size and amount of binary junk is different every time.

Nice trick.


Tuesday, January 6, 2009

MS08-067 Worms Posted by Mikko @ 18:15 GMT

Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked.

We have detailed information about the malware functionality in our Downadup.AL description.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the worm. The sites keep changing, but the current domains to block are:

We'll update this list as needed.

Update: Additional details can be found here.


Monday, January 5, 2009

Flashy Botnet is Flashy Posted by Mikko @ 16:56 GMT

We did some co-operation recently with a company called Clarified Networks. Some of you might remember them as the guys who did the *wow* visualization of the Kaminsky DNS hole for his Black Hat presentation.

So we collected some botnet data and asked them to visualize it.

Clarified Networks

The end result is a quite nice animation.

You can get more info and the actual end result from their blog at