Security firm F-Secure says that a worm called Downadup has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. But what makes this worm so interesting is the fact it accomplished those numbers in just a few weeks, using several different methods to spread, and has the ability to download new versions of itself.
The prolific worm uses a complex algorithm to develop a changing daily list of random domains – registered or not – which infected machines attempt to establish contact with. All its creators have to do is register one of the generated domains and then they can update the worm do pretty much do whatever they wish, such as stealing personal information or creating a massive botnet to launch DDoS attacks.
F-Secure managed to take a peek at the inner workings of the worm by registering one of the randomly generated domains. This has allowed them to analyze the connections that Downadup is making and, in fact, they have gained the ability to modify the worm’s update mechanism to remotely disinfect affected systems. However, for legal reasons, the company has decided not to do so.
The worm also executes a dictionary attack in an attempt to crack passwords and spread across machines on the same local area network, so administrators are advised not only to install Microsoft's latest security updates, but also to ensure that they are using strong passwords. Additionally, Microsoft has added detection to the latest version of its free Malicious Software Removal Tool, which is available here.