United States
Easy management - our secret sauce. Watch the video tour.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Slow burn P2P worm could still eventually go big

8 May, 2010 -- Over the past week, I've read various reports, like this one, about a new "fast-spreading" P2P worm, which one AV company calls Worm.P2P.Palevo.DP. Compared to the worms of yesteryear, such as CodeRed, Palevo.DP isn't really that fast spreading. While it may be working semi-effectively in some locals, I can find no evidence that it's become an epidemic. However, if Conficker taught us anything, it's that even slow spreading worms can infect a huge amount of people over time. Palevo.DP might follow in Conficker's footsteps.

Let's talk a bit about Palevo.DP... First, I would classify Palevo.DP as a bot client, which is a trojan that connects your computer to a malicious botnet network. Unfortunately, AV vendors haven't really updated their malware vernacular much over the past years. More often then not, the malware AV vendors call worms, trojans, and backdoors are really blended threats that include a Command and Control (C&C) component, which connects the malware's victim to a malicious botnet network. When malware has a C&C channel that connects it to a network under an attacker's control, I consider it a bot client, and Palevo.DP qualifies. 

Like all bot clients (or worms, if you prefer) of late, Palevo.DP is a truly blended threat. It uses a number of technique to automate its spread. None of its techniques are totally new, but it does combine some of the latest ones. For example, if it infects your computer, it also will try to infect any USB storage device you insert. This allows the malware to spread physically, like old floppy disk viruses used to. I personally never expected this particular infection technique to yeild quick results. However, Conficker used it, and as we learned, Conficker infected a lot of victims. More interestingly, Palevo.DP targets any Peer-to-Peer (P2P) services or programs on a victim's computer, and forces it to share the infection through those file-sharing applications as well. Finally, Palevo.DP still uses older techniques, like sending itself to your buddies through IM connections and scanning local file shares.

While none of these technique are particularly ground-breaking, the breadth of techniques is what makes bot clients like this one the ultimate blended threat. Even though one specific spreading mechanism may not offer as immediate results as those exploited by Codered, the combined techniques will ensure Palevo.DP spreads for a long time, earning many unwilling botnet recruits overtime. To defend against these threats, make sure all your malware scanning security controls have the latest updates. WatchGuard's Firebox or XTM appliances, can also help. -- Corey Nachreiner, CISSP

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.