With several million machines now infected, identifying the Downadup worm on your network is a little easier than you might think with NetFlow.  We suggest leveraging it for more than just viewing top talkers.

While this worm is designed to change itself to elude identification by AV software, it does not change its behavior on the network.
Downadup worm

How does it work?
The Downadup worm takes advantage of a security hole in the RPC service for Windows machines. This hole has been patched and can be obtained here. This patch was not rolled out via the normal windows update and has left tens of millions of PC’s at risk.

It Phones Home
Once infected, the machine goes out to one of 4 sites to get its true external IP address. Once it has that, it establishes has the ability to communicate with C&C (command and control) servers.

It Spreads the Disease
The first priority of the worm is to try and infect other hosts. It will try and scan your entire subnet for other hosts. The scan will occur on TCP Port 445 (RPC).

How is this identified?
If using Netflow or sFlow Scrutinizer with Flow analytics can catch this using its SYN scan algorithm. Once you have been alerted, you can drill into the flow view to see the addresses that have been scanned and isolate the infected hosts from the network.

Monitor for the Call
The Flow Analytics Internet Threats algorithm will notify you if a machine on your network is communicating with a known C&C server.  You can also run reports in Scrutinizer to see who has accessed one of the four known addresses that provide an IP address.  Call us and we’ll get Flow Analytics installed on your server.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply