866-764-TECH(8324) · Subscribe to Application Solution Providers, Inc.News FeedSubscribe to Application Solution Providers, Inc.Comments

Slow burn P2P worm could still eventually go big

8 May, 2010 — Over the past week, I’ve read various reports, like this one, about a new “fast-spreading” P2P worm, which one AV company calls Worm.P2P.Palevo.DP. Compared to the worms of yesteryear, such as CodeRed, Palevo.DP isn’t really that fast spreading. While it may be working semi-effectively in some locals, I can find no evidence that it’s become an epidemic. However, if Conficker taught us anything, it’s that even slow spreading worms can infect a huge amount of people over time. Palevo.DP might follow in Conficker’s footsteps.

Let’s talk a bit about Palevo.DP… First, I would classify Palevo.DP as a bot client, which is a trojan that connects your computer to a malicious botnet network. Unfortunately, AV vendors haven’t really updated their malware vernacular much over the past years. More often then not, the malware AV vendors call worms, trojans, and backdoors are really blended threats that include a Command and Control (C&C) component, which connects the malware’s victim to a malicious botnet network. When malware has a C&C channel that connects it to a network under an attacker’s control, I consider it a bot client, and Palevo.DP qualifies.

Like all bot clients (or worms, if you prefer) of late, Palevo.DP is a truly blended threat. It uses a number of technique to automate its spread. None of its techniques are totally new, but it does combine some of the latest ones. For example, if it infects your computer, it also will try to infect any USB storage device you insert. This allows the malware to spread physically, like old floppy disk viruses used to. I personally never expected this particular infection technique to yeild quick results. However, Conficker used it, and as we learned, Conficker infected a lot of victims. More interestingly, Palevo.DP targets any Peer-to-Peer (P2P) services or programs on a victim’s computer, and forces it to share the infection through those file-sharing applications as well. Finally, Palevo.DP still uses older techniques, like sending itself to your buddies through IM connections and scanning local file shares.

While none of these technique are particularly ground-breaking, the breadth of techniques is what makes bot clients like this one the ultimate blended threat. Even though one specific spreading mechanism may not offer as immediate results as those exploited by Codered, the combined techniques will ensure Palevo.DP spreads for a long time, earning many unwilling botnet recruits overtime. To defend against these threats, make sure all your malware scanning security controls have the latest updates. WatchGuard’s Firebox or XTM appliances, can also help. — Corey Nachreiner, CISSP

via WatchGuard Wire: RSS Feed | WatchGuard.

Application Solution Providers, Inc. 866-764-8324

Application Solution Providers, Inc. 866-764-8324

Any software can be installed, maintained, and securely accessed from anywhere. Leverage the latest hosting technologies with a Digital Desktop.™ Consolidate and secure all your business applications and data in custom Hosted Environments.™

Your business applications and managed Application Hosting, Desktop Hosting, Web Hosting, Mail Hosting, Software as a Service (SaaS), Virtual Machines (VM), and Virtual Desktop Infrastructure (VDI) saves time and money.

For managed Application Consulting, Development, Marketing, Hosting, Support, and Training
Call 866-764-8324 · Send an email · Submit an Information Request

    Speak Your Mind

    You must be logged in to post a comment.