Downadup Worm Caught with Flow Analytics

Posted in General, Scrutinizer, WebNM on January 18th, 2009 by mike@plixer.com
Downadup Worm Caught with Flow Analytics

Overview
With several million machines now infected, identifying the Downadup worm on your network is a little easier than you might think with NetFlow.  We suggest leveraging it for more than just viewing top talkers.

While this worm is designed to change itself to elude identification by AV software, it does not change its behavior on the network.
Downadup worm

How does it work?
The Downadup worm takes advantage of a security hole in the RPC service for Windows machines. This hole has been patched and can be obtained here. This patch was not rolled out via the normal windows update and has left tens of millions of PC’s at risk.

It Phones Home
Once infected, the machine goes out to one of 4 sites to get its true external IP address. Once it has that, it establishes has the ability to communicate with C&C (command and control) servers.

It Spreads the Disease
The first priority of the worm is to try and infect other hosts. It will try and scan your entire subnet for other hosts. The scan will occur on TCP Port 445 (RPC).

How is this identified?
If using Netflow or sFlow Scrutinizer with Flow analytics can catch this using its SYN scan algorithm. Once you have been alerted, you can drill into the flow view to see the addresses that have been scanned and isolate the infected hosts from the network.

Monitor for the Call
The Flow Analytics Internet Threats algorithm will notify you if a machine on your network is communicating with a known C&C server.  You can also run reports in Scrutinizer to see who has accessed one of the four known addresses that provide an IP address.  Call us and we’ll get Flow Analytics installed on your server.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Tags: , ,