Downadup worm infects 3.5 million PCs

By on January 15, 2009, 6:59 PM
Security firm F-Secure says that a worm called Downadup has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. But what makes this worm so interesting is the fact it accomplished those numbers in just a few weeks, using several different methods to spread, and has the ability to download new versions of itself.

The prolific worm uses a complex algorithm to develop a changing daily list of random domains – registered or not – which infected machines attempt to establish contact with. All its creators have to do is register one of the generated domains and then they can update the worm do pretty much do whatever they wish, such as stealing personal information or creating a massive botnet to launch DDoS attacks.

F-Secure managed to take a peek at the inner workings of the worm by registering one of the randomly generated domains. This has allowed them to analyze the connections that Downadup is making and, in fact, they have gained the ability to modify the worm’s update mechanism to remotely disinfect affected systems. However, for legal reasons, the company has decided not to do so.

The worm also executes a dictionary attack in an attempt to crack passwords and spread across machines on the same local area network, so administrators are advised not only to install Microsoft's latest security updates, but also to ensure that they are using strong passwords. Additionally, Microsoft has added detection to the latest version of its free Malicious Software Removal Tool, which is available here.

User Comments: 9

Got something to say? Post a comment
captain828 said:
typo: DoS -> DDoS ?
McCallum said:
[b]Originally posted by captain828:[/b][quote]typo: DoS -> DDoS ? [/quote]I'm pretty sure you're correct.
techguy339 said:
Quote:"for legal reasons, the company has decided not to do so"And what would those legal reasons be?!
Julio said:
Not necessarily.Denial-of-service attack (DoS attack)Distributed denial-of-service attack (DDoS attack)
JosVilches said:
[b]Originally posted by techguy339:[/b][quote]Quote:"for legal reasons, the company has decided not to do so"And what would those legal reasons be?![/quote]Disinfecting those machines could be considered as unauthorized use of a PC, which is illegal in many jurisdictions.
captain828 said:
[b]Originally posted by Julio:[/b][quote]Not necessarily.Denial-of-service attack (DoS attack)Distributed denial-of-service attack (DDoS attack)[/quote]so you're saying they had all those 3,5mil "zombies" in a single area?the difference between the two is that the later contains the "zombies" in multiple geographic locations, making it even harder to control [b]From[/b][quote]Today's total infection count is an estimated 3,521,230 infections [b]worldwide[/b].[/quote]not trying to bash anyone here : [Edited by captain828 on 2009-01-16 14:28:22]
JosVilches said:
Point taken, I've updated the story with the more accurate DDoS term. Though a distributed denial of service attack is still a denial of service attack :p
captain828 said:
true... it's still a DoS ;)
anguis said:
It's more likely that an attacker who is proficient in their trade will use a Distribution Reflection Denial of Service (DRDoS) attack, to be even more specific. Also, the legal conditions for F-Secure are as follows: Any breach of a personal computer within the USA without authorization, regardless of intent, is illegal.
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.