On TV.com: 2009's Most PIRATED TV Show
BNET Business Network:
BNET
TechRepublic
ZDNet
39 TalkBacks

By David Meyer and Tom Espiner ZDNet.co.uk
Posted on ZDNet News: Jan 15, 2009 8:35:16 AM

The 'Downadup' worm is spreading quickly and now infects more than 3.5 million PCs, according to the security company F-Secure.

In a blog post on Wednesday, F-Secure put the total number of infected machines at an estimated 3,521,230 — a rise of more than a million machines over the previous day's tally. The security firm bases its estimates on information it has gleaned by tapping into infected machines.

Downadup, which also goes by the name of Conficker, exploits a vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October. It executes a dictionary attack in order to try cracking user passwords, in the process locking user accounts out of the Active Directory domain. It emerged a week ago that Downadup can also infect USB sticks, thereby propagating on the client side.

F-Secure's chief research officer, Mikko Hyppönen, wrote in a blog post on Tuesday that the infected PCs had the potential to form "one big badass botnet". Hyppönen pointed out that the Downadup worm works by trying to connect to various web addresses. "If the worm finds an active web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines," he wrote.

"[Downadup] uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," Hyppönen wrote. "With this algorithm, the worm generates many possible domain names every day… This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever."

Hyppönen then said F-Secure had determined some domains that would be generated by Downadup, and registered them. It was through this method, which gave the firm access to the infected machines, that F-Secure has been able to determine the approximate number of victims.

"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," Hyppönen wrote. "A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life."

Graham Cluley, senior technology consultant at Sophos, told ZDNet UK on Thursday that "businesses should already have patched this vulnerability when the Microsoft patch came out some weeks ago". He urged those businesses that had not yet patched to do so as soon as possible, adding that companies should check laptops and USBs coming into the company, for example, by using a network access control (NAC) product.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 39 Talkback(s)
RE: Potential 'big badass botnet' spreading fast
Yup. It's like those machines that didn't update should be held liable for damages lol -> kida because there screwing everything up and the biggest one of all are the -> Wacky lets wait and fix it and... (Read the rest)
Posted by: rainmanp7 Posted on: 01/24/09 You are currently: a Guest | | Terms of Use
Wait a Minute..What OS Does It Exploit?? What OS??  itanalyst2@... | 01/15/09
Which part of...  Qbt | 01/15/09
You have to forgive him  Loverock Davidson | 01/15/09
Still Running From My Challenge Lovey?  itanalyst2@... | 01/15/09
Mac OS 6.8 or Windows 3.11  phatkat | 01/16/09
So long as he is not a Mark Chapman  agohige | 01/16/09
And yet there are still at least  Linux User 147560 | 01/15/09
You are not reading it correctly  Qbt | 01/15/09
So if...  SimonUK | 01/15/09
Ubuntu  djchandler | 01/16/09
This is such nonsense  soneil66 | 01/17/09
What's needed to install a Linux virus on your computer.  joe.smetona@... | 01/17/09
If you patch *100%* of all Windows systems on the planet ..."  brian ansorge | 01/16/09
But...  djchandler | 01/16/09
Well...  zkiwi | 01/15/09
Management is the problem...  agohige | 01/16/09
We do not always patch.  agohige | 01/16/09
We do not always patch. You can run but not hide.  Bill1William | 01/16/09
Windows Expolit  MichaelWells | 01/16/09
Why GNU/Linux Viruses are fairly uncommon (Joke) happy  joe.smetona@... | 01/17/09
RE: Potential 'big badass botnet' spreading fast  ator1940 | 01/16/09
RE:RE: Potential 'big badass botnet' spreading fast  richdave | 01/17/09
RE: Potential 'big badass botnet' spreading fast  co-eddy | 01/16/09
What are av, anti-spy, etc people doing? Why should they?  dudge669 | 01/16/09
av, anti-spy, etc people  hafizullah@... | 01/16/09
Unfortunately... the law...  RDrr | 01/16/09
It's been tried... If I recall correctly...  Wolfie2K3 | 01/17/09
Not thier Job.  agohige | 01/16/09
It's the users job...  arminw | 01/16/09
Everyone's acting like...  joe.smetona@... | 01/17/09
See what McAfee has done  djchandler | 01/16/09
RE: Potential 'big badass botnet' spreading fast  Bill1William | 01/16/09
RE: Potential 'big badass botnet' spreading fast  netsysmgr@... | 01/16/09
Penguins will soon rule the world.  bendib | 01/16/09
LOL  zeth06 | 01/20/09
RE: Potential 'big badass botnet' spreading fast  RayB777 | 01/16/09
Answer.  joe.smetona@... | 01/17/09
RE: Potential 'big badass botnet' spreading fast  rainmanp7 | 01/24/09
RE: Potential 'big badass botnet' spreading fast  rainmanp7 | 01/24/09

What do you think?

SmartPlanet

Click Here