The 'Downadup' worm is spreading quickly and now infects more than 3.5 million PCs, according to the security company F-Secure.
In a blog post on Wednesday, F-Secure put the total number of infected machines at an estimated 3,521,230 — a rise of more than a million machines over the previous day's tally. The security firm bases its estimates on information it has gleaned by tapping into infected machines.
Downadup, which also goes by the name of Conficker, exploits a vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October. It executes a dictionary attack in order to try cracking user passwords, in the process locking user accounts out of the Active Directory domain. It emerged a week ago that Downadup can also infect USB sticks, thereby propagating on the client side.
F-Secure's chief research officer, Mikko Hyppönen, wrote in a blog post on Tuesday that the infected PCs had the potential to form "one big badass botnet". Hyppönen pointed out that the Downadup worm works by trying to connect to various web addresses. "If the worm finds an active web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines," he wrote.
"[Downadup] uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," Hyppönen wrote. "With this algorithm, the worm generates many possible domain names every day… This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever."
Hyppönen then said F-Secure had determined some domains that would be generated by Downadup, and registered them. It was through this method, which gave the firm access to the infected machines, that F-Secure has been able to determine the approximate number of victims.
"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," Hyppönen wrote. "A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life."
Graham Cluley, senior technology consultant at Sophos, told ZDNet UK on Thursday that "businesses should already have patched this vulnerability when the Microsoft patch came out some weeks ago". He urged those businesses that had not yet patched to do so as soon as possible, adding that companies should check laptops and USBs coming into the company, for example, by using a network access control (NAC) product.
Talkback
The continued growth of the MS08-67 RPC issue really drives home the point that while firewalls and antivirus have evolved to become mainstays in network defense, all too many fail to realise that vulnerability management and patching is in fact a critical component of the very foundation of network security. Firewalls and AV are only one level of defence and really are insufficient if they are deployed on top of a weak foundation – lacking underlying vulnerability and patch management.
Take note:
SANS recently reported a clever social engineering trick by the malware – when the autorun.inf triggers the pop up autoplay dialog it changes the executable icon to that of a folder. The user is then tricked into clicking on the folder thinking they are simply going to view the files, NOT knowing that they were actually causing the execution of the malicious program when they click on the folder icon.
Ask about your own organisations patch management approach - the tools we have today are easy to deploy and automate the whole patch management process across a corporate network to really take control by identifying and remediating known vulnerabilities.
Beyond that, ask about Application Control - it can be used effectively to stop this type of infection in it's tracks by preventing the malware from executing in the first place.
Whitelisting is the best way to prevent direct harm to computers from viruses and malware, but comprehensive application whitelisting – like Lumension Security Endpoint Protection Solution that does run on XP systems – offers many more benefits to organisations and the IT environment:
* Increased performance and stability. When only authorised applications can run on a computer, there is far less chance that inappropriately installed programs or hardware drivers will corrupt an operating system. Combined with Lumension Security Vulnerability Management Solution, patches and updates are rolled out in a uniform and approved manner, ensuring that all computers operate on the same release level.
* Control of computer and network utilisation. Computers have an unfortunate tendency to become cluttered with junkware, games, and web software that consume computing resources and
network bandwidth. Whitelisting offers a way to keep such programs from interfering with business operations.
* Decreased IT support costs. With no viral attacks to thwart, malware to hunt down, or incompatible applications to invoke the blue screen of death, IT can spend more time and resources on improving operations instead of constantly fixing computers.
* Increased data security and compliance with privacy laws.
Preventing programs not on the whitelist from running on any computer obviates the chance for spyware, keyloggers, and
sniffers to steal passwords, address books, customer files, or other sensitive data from otherwise physically secure computers. Combined with Lumension Security Data Protection Solution, which
prevents sensitive information from leaking out through lost or stolen storage devices, a whitelist creates a strong infrastructure that makes it possible to comply with privacy regulations.
A further benefit to application whitelisting is the ability – and the opportunity – to better understand your IT environment. What applications are your people really running? Which are necessary to your operations? Are you buying more bandwidth than you really need to conduct business? Getting an accurate view of IT usage is the first step in controlling your information and your business.
If a CIO were to dream up a perfect IT environment, it would no doubt be very different from what most organisations have today. It would be a controlled environment with consistent change-control systems. Updates and operating system patches would be rolled out uniformly across a homogenous network. Every computer would have a specific set of applications preinstalled. Users would have no local authority to install, update, or delete applications, drivers, or web plug-ins. Only approved storage devices and media could be used to copy and transport data. In such a tightly regulated computing environment, anti-virus and whitelisting programs might not be needed.
BUT this scenario represents an environment seldom found in the real world – albeit perhaps one that is not as desirable as it may first seem.
A totally locked down computing environment is not only rare – it is unlikely to best meet business needs. A system with complete top-down control loses the flexibility to quickly add and upgrade applications and business systems. In organisations where communication and creativity fly fast and furious, locked-down systems can frustrate and stifle the flow of business. And while such a setup may at first seem convenient for the CIO’s department, it ultimately adds labour-intensive work for system administrators and
help-desk operators.
So, what do you live with today? Organisations that start out small, with even smaller IT teams, often by default give users local administrative control of individual PCs. Though such a choice lessens the initial burden on IT, as a company grows those few savvy users are joined by well-meaning users installing rogue applications – sometimes incorrectly – corrupting files and registries in the process.
Or maybe your organisation has inherited an infrastructure with a history of uneven change control, resulting in a mishmash of service packs and application versions, sometimes running on the same computer. Unauthorised applications and preloaded junkware clog hard drives and networks. Malware and viruses continuously creep in through downloads and website visits. The anti-virus software you installed can’t keep up, and you are constantly rebuilding corrupted PCs. Sudden spikes in unauthorised application-generated traffic overload the network at critical times, forcing you to contract for more bandwidth than you really need.
Is this a snapshot of your world? Though your scenario may be slightly better, or worse, the general situation remains the same. You need a way to categorise all the applications on all the computers on your network, and then decide which should be allowed to run.
Whitelisting simply means defining what is “good,” then allowing only good programs and processes to load and execute in memory. Everything not on the whitelist – the virtual blacklist – cannot run. To increase flexibility, especially in the beginning, you can extend the concept of trusted change by implementing a graylist. This permits safe but potentially undesirable programs to run until you decide whether they are really needed.
Whitelisted applications run. Graylisted applications can launch with logging that notifies you when and where they are running. Anything else cannot run at all. Even corrupted or hacked applications on the
whitelist are recognised as altered, and prevented from running. Zero-day attacks through malware, worms, and Trojans are automatically prevented from running because they are not on the whitelist, and therefore never get the chance to launch and corrupt.