Fast Moving Variant Aimed at Windows RPC Bug

By Matthew Hines  |  Posted 2009-01-09 Print this article Print

Attackers are still working hard to launch threats that seek to exploit Windows users who remain vulnerable to the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability first reported in late 2008, with Symantec reporting the discovery of a new threat Friday that uses a different propagation pattern than earlier attacks aimed at the same vulnerability.

Dubbed W32.Downadup.B, the researchers said that the attack first appeared on December 30th and can not only propagate itself by exploiting the Microsoft Windows Server Service RPC vulnerability, but also by spreading itself through corporate networks by infecting USB sticks and accessing weak passwords.

"These propagation methods are nothing new; W32.Spybot, W32.Randex, and W32.Mytob variants all use almost identical methods to spread, but this variant requires more effort to protect corporate networks," researchers said.

"W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly," the company said.

Symantec researchers reported that they are seeing heavy volumes of both known variants of W32.Downadup, versions A and B.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel