The 'Downadup' worm is spreading quickly and now infects more than 3.5 million PCs, according to the security company F-Secure.
In a blog post on Wednesday, F-Secure put the total number of infected machines at an estimated 3,521,230 — a rise of more than a million machines over the previous day's tally. The security firm bases its estimates on information it has gleaned by tapping into infected machines.
Downadup, which also goes by the name of Conficker, exploits a vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October. It executes a dictionary attack in order to try cracking user passwords, in the process locking user accounts out of the Active Directory domain. It emerged a week ago that Downadup can also infect USB sticks, thereby propagating on the client side.
F-Secure's chief research officer, Mikko Hyppönen, wrote in a blog post on Tuesday that the infected PCs had the potential to form "one big badass botnet". Hyppönen pointed out that the Downadup worm works by trying to connect to various web addresses. "If the worm finds an active web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines," he wrote.
"[Downadup] uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," Hyppönen wrote. "With this algorithm, the worm generates many possible domain names every day… This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever."
Hyppönen then said F-Secure had determined some domains that would be generated by Downadup, and registered them. It was through this method, which gave the firm access to the infected machines, that F-Secure has been able to determine the approximate number of victims.
"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," Hyppönen wrote. "A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life."
Graham Cluley, senior technology consultant at Sophos, told ZDNet UK on Thursday that "businesses should already have patched this vulnerability when the Microsoft patch came out some weeks ago". He urged those businesses that had not yet patched to do so as soon as possible, adding that companies should check laptops and USBs coming into the company, for example, by using a network access control (NAC) product.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
2 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
2 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
3 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
3 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
3 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
15 hours ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
20 hours ago by roger andre on Microsoft lashing out at Linux, open source
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
24 hours ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
1 day ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
1 day ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
1 day ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
1 day ago on Twitter by _SimonArnoldme
relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
1 day ago on Twitter by suziedaniels
Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by eparody
RT @eparody: Redesign complet pour ZDNet UK et AU, Twitter au centre http://www.zdnet.co.uk/ http://www.zdnet.com.au/
1 day ago on Twitter by cdutheil
Sharepoint 2010 in photo's http://www.zdnet.co.uk/reviews/communication-and-collaboration/2010/03/04/sharepoint-2010-screenshots-40070577/
1 day ago on Twitter by gerardv
Thanks for commenting and clearing that up, Richard. We look forward to seeing what the new clause, if it is not struck out due to protests and/or...
1 day ago by David Meyer on Rights holders vs digital rights activists - who wins?For multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
The continued growth of the MS08-67 RPC issue really drives home the point that while firewalls and antivirus have evolved to become mainstays in network defense, all too many fail to realise that vulnerability management and patching is in fact a critical component of the very foundation of network security. Firewalls and AV are only one level of defence and really are insufficient if they are deployed on top of a weak foundation – lacking underlying vulnerability and patch management.
lumension 16 Jan 09 23:58 ReplyTake note:
SANS recently reported a clever social engineering trick by the malware – when the autorun.inf triggers the pop up autoplay dialog it changes the executable icon to that of a folder. The user is then tricked into clicking on the folder thinking they are simply going to view the files, NOT knowing that they were actually causing the execution of the malicious program when they click on the folder icon.
Ask about your own organisations patch management approach - the tools we have today are easy to deploy and automate the whole patch management process across a corporate network to really take control by identifying and remediating known vulnerabilities.
Beyond that, ask about Application Control - it can be used effectively to stop this type of infection in it's tracks by preventing the malware from executing in the first place.
Whitelisting is the best way to prevent direct harm to computers from viruses and malware, but comprehensive application whitelisting – like Lumension Security Endpoint Protection Solution that does run on XP systems – offers many more benefits to organisations and the IT environment:
lumension 16 Feb 09 16:50 Reply* Increased performance and stability. When only authorised applications can run on a computer, there is far less chance that inappropriately installed programs or hardware drivers will corrupt an operating system. Combined with Lumension Security Vulnerability Management Solution, patches and updates are rolled out in a uniform and approved manner, ensuring that all computers operate on the same release level.
* Control of computer and network utilisation. Computers have an unfortunate tendency to become cluttered with junkware, games, and web software that consume computing resources and
network bandwidth. Whitelisting offers a way to keep such programs from interfering with business operations.
* Decreased IT support costs. With no viral attacks to thwart, malware to hunt down, or incompatible applications to invoke the blue screen of death, IT can spend more time and resources on improving operations instead of constantly fixing computers.
* Increased data security and compliance with privacy laws.
Preventing programs not on the whitelist from running on any computer obviates the chance for spyware, keyloggers, and
sniffers to steal passwords, address books, customer files, or other sensitive data from otherwise physically secure computers. Combined with Lumension Security Data Protection Solution, which
prevents sensitive information from leaking out through lost or stolen storage devices, a whitelist creates a strong infrastructure that makes it possible to comply with privacy regulations.
A further benefit to application whitelisting is the ability – and the opportunity – to better understand your IT environment. What applications are your people really running? Which are necessary to your operations? Are you buying more bandwidth than you really need to conduct business? Getting an accurate view of IT usage is the first step in controlling your information and your business.
If a CIO were to dream up a perfect IT environment, it would no doubt be very different from what most organisations have today. It would be a controlled environment with consistent change-control systems. Updates and operating system patches would be rolled out uniformly across a homogenous network. Every computer would have a specific set of applications preinstalled. Users would have no local authority to install, update, or delete applications, drivers, or web plug-ins. Only approved storage devices and media could be used to copy and transport data. In such a tightly regulated computing environment, anti-virus and whitelisting programs might not be needed.
BUT this scenario represents an environment seldom found in the real world – albeit perhaps one that is not as desirable as it may first seem.
A totally locked down computing environment is not only rare – it is unlikely to best meet business needs. A system with complete top-down control loses the flexibility to quickly add and upgrade applications and business systems. In organisations where communication and creativity fly fast and furious, locked-down systems can frustrate and stifle the flow of business. And while such a setup may at first seem convenient for the CIO’s department, it ultimately adds labour-intensive work for system administrators and
help-desk operators.
So, what do you live with today? Organisations that start out small, with even smaller IT teams, often by default give users local administrative control of individual PCs. Though such a choice lessens the initial burden on IT, as a company grows those few savvy users are joined by well-meaning users installing rogue applications – sometimes incorrectly – corrupting files and registries in the process.
Or maybe your organisation has inherited an infrastructure with a history of uneven change control, resulting in a mishmash of service packs and application versions, sometimes running on the same computer. Unauthorised applications and preloaded junkware clog hard drives and networks. Malware and viruses continuously creep in through downloads and website visits. The anti-virus software you installed can’t keep up, and you are constantly rebuilding corrupted PCs. Sudden spikes in unauthorised application-generated traffic overload the network at critical times, forcing you to contract for more bandwidth than you really need.
Is this a snapshot of your world? Though your scenario may be slightly better, or worse, the general situation remains the same. You need a way to categorise all the applications on all the computers on your network, and then decide which should be allowed to run.
Whitelisting simply means defining what is “good,” then allowing only good programs and processes to load and execute in memory. Everything not on the whitelist – the virtual blacklist – cannot run. To increase flexibility, especially in the beginning, you can extend the concept of trusted change by implementing a graylist. This permits safe but potentially undesirable programs to run until you decide whether they are really needed.
Whitelisted applications run. Graylisted applications can launch with logging that notifies you when and where they are running. Anything else cannot run at all. Even corrupted or hacked applications on the
whitelist are recognised as altered, and prevented from running. Zero-day attacks through malware, worms, and Trojans are automatically prevented from running because they are not on the whitelist, and therefore never get the chance to launch and corrupt.