Network News

X My Profile
View More Activity

Tricky Windows Worm Wallops Millions

A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn.

Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites -- there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software.

The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and 8.9 million computers during the last four days alone.

If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed.

One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network.

But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective.

Security experts say the worm instructs infected hosts each day to visit one or more of about 250 potential control servers -- basically, pseudo-random domain names -- in order to download instructions or malicious software updates from the worm's authors. With such a system, security experts would have to register all 250 domains each day in order to kill off the worm, a costly and untenable solution. In contrast, the worm authors need only register one of those 250 domains to update all infected systems with new instructions and software.

F-Secure arrived at its infection estimates by registering a number of those domains, and then watching to see how many infected systems would try to contact the control servers. In addition to counting the number of bots reporting in for duty, researchers found another way to count victim PCs: Turns out, each infected host reporting to the control server is configured to report the number of Windows systems it has succeeded in infecting.

Some experts say F-Secure's estimates are grossly inflated. Paul Royal, chief scientist for Damballa, an Atlanta-based security firm that has conducted similar tests by registering some of the domains Downadup hosts are seeking, estimates the total number of infected systems to be between 500,000 and one million.

"It's not as though their extrapolation methodology sounds unreasonable, it's not consistent with what we're seeing in terms of volume of hosts hitting" the control servers, Royal said.

But Roel Schouwenberg, senior antivirus researcher with Kaspersky Lab Americas, said F-Secure's estimates were probably lower than the actual number of infected systems. He said that's in part because infected systems reporting the number of machines they have in turn infected only count those that have been infested using the Microsoft flaw.

"The model they are using is, as they say, conservative. The actual number of machines that have been infected should have been higher," Schouwenberg said. "As I believe that the importance of the other replication methods is currently undervalued we could be looking at 10 million compromised machines easily."

Regardless, even if the worm authors of Downadup only control a half million PCs, that would far eclipse the size of the largest known collection of hacked PCs on the planet (see Meet the New Bots: Will We Get Fooled Again, for a look at this year's most massive and sophisticated botnets.)

So what diabolical plans does this worm have in store for host systems? Such a network certainly would make a very effective spamming machine for junk e-mail artists, but Damballa's Royal said there are no signs that the infected systems are being used for spam. Rather, he said, it appears the worm and its subsequent variants may have been created for no other purpose than to generate income for people who get paid to install rogue anti-virus software, so-called "scareware" products like "AntivirusXP2009," and "VirusRemover2009."

Royal said the original control server for Downadup used a Web service that also was used by a large number of sites that pushed rogue anti-virus products.

"Plus, the original downloader file installed [by the worm] looked suspiciously like the names of the rogue anti-virus installers we've seen," Royal said. "That strongly indicates that at the top of this pyramid is someone trying to make a lot of money from rogue anti-virus software sales."

It is likely that Microsoft itself will play a major part in cleaning up after this worm. As part of its regular Patch Tuesday cycle this week, Microsoft added Downadup to its "malicious software removal tool" (MSRT), an optional component that can scan for and remove some of the most prevalent threats in circulation today.

Windows users also can reduce their exposure to this worm and other malware that piggybacks on USB drives and other removable media by turning off the Autoplay feature in Windows. I included instructions for doing this in a recent blog post.Microsoft also has instructions for doing this here and here.

By Brian Krebs  |  January 16, 2009; 6:12 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs Three Windows Security Holes
Next: Move Over, Client #9

Comments

It sounds like security researchers know which pseudo-random domain names the worm will try to connect to. Why don't they register one and and use it to upload software that will turn the worm off?

Posted by: MrBomato | January 16, 2009 7:20 PM | Report abuse

F-Secure's numbers are strictly conservative by their standards and here's how: They registered some of the domains to see who would check in and they recorded the individual IP's of those machines that did. However, if a company is NAT-ing, which a lot of them are, then the IP shown is for the company. Therefore, behind that single IP there may be 10, 100, or 10,000 infected computers. Based on the m.o. of this worm, (infecting other machines in the company via network shares or USB) that is a frightening proposition. Paul Royal has apparently failed to take this into account.

Posted by: fiercesome | January 17, 2009 1:11 AM | Report abuse

Because, Mr. Bornato, unlike these hackers, security researchers have ethical standards to live by. Neither they nor anyone else has a general license to upload software onto other people's computers, even if the purpose is to benefit the computer owners. What if it somehow, unintentionally, affected those computers adversely?

Posted by: cmckeonjr | January 17, 2009 3:35 AM | Report abuse

MrBomato said,

It sounds like security researchers know which pseudo-random domain names the worm will try to connect to. Why don't they register one and and use it to upload software that will turn the worm off?
=====
The first problem is that you cannot predict the next set of pseudorandom domain names unless you know the algorithm and seed value for the pseudorandom name generator.

The second problem (if you solved the first problem) is that you would have to make sure that any software you uploaded to people's computers would work and not cause significant damage. The number of ways in which people can configure their computers is nearly limitless, and anything you uploaded would have to fix them all.

I think there are many people who are fortunate that this worm did nothing more than report the number of newly infected machines....

Posted by: Pablo01 | January 17, 2009 9:12 AM | Report abuse

Dude, time to get a Mac! I love being able to wake up knowing that I'm safe(er).

Posted by: SprocketWD | January 17, 2009 11:22 AM | Report abuse

Trying to remove yet another virus from your Windows machine? Give up. Dump it and start computing securely with Linux. Safe and *free of charge*. See http://www.ubuntu.com/ . You'll wonder how you ever put up with *and paid so dearly for* Windoze.

Posted by: hairguy01 | January 17, 2009 11:22 AM | Report abuse

The US Government is spending billions to spy on us and the world (Eschelon). It would be nice if they could divert some of their expertise to solve these issues and stop these cyber-criminals - who are businessmen with plans to sell us "anti-virus" software.

Posted by: NMremote | January 17, 2009 2:43 PM | Report abuse

If my CD/DVD is set to "prompt me each time" is that ok or do I need to change it to take no action?

Posted by: mdsails | January 17, 2009 4:22 PM | Report abuse

Hello 8O's:
"Peace" virus ships in with Adobe Pagemaker for the MAC!

Robert Morris CRASHES the internet with worm (oops, forgot the power of power ;) . His Father none other than Robert Morris father of unix and NSA 'scientist'.

Peter Norton: quoted in Byte magazine "... Computer viruses are an urban myth". He sure cashed in on that myth.

2009, 50 plus billion computer security dollars later and the internet has more worms and more virus and growing faster everyday.

Yet even the most basic DOD rainbow guidelines from the 80's are ignored.

'Everyone' with a certificate is a security expert.. :(

Every suit and tie has a product to solve the problem. (cha-ching)

Every Government and Agency has a guidelines, laws, rules...to push.

And yet we still have worms and viruses, would I be too forward looking?....to say we need to try something new!

Posted by: georgethornton1 | January 17, 2009 5:40 PM | Report abuse


I have been noticing unusual amounts of spam recently. Usually having to do with gift certificates or free merchandise. I am wondering if some of the infected machines are now sending this crap.

I work in the software industry, and I find this to be particularly annoying. Nobody seems to have a good idea for how to put an end to this once and for all, so all we have are these half measures and little patches that are barely able to keep up with the people who make these things.


Posted by: ericy | January 17, 2009 7:22 PM | Report abuse


Download and use KNOPPIX, which runs from read-only CD and can't be infected by a downloaded malware threat.

http://www.knoppix.org

It has OpenOffice so you can do anything you could do with MS-Office, pretty much.

I find it astonishing, given the weaknesses, that anyone anywhere uses that bug-riddled piece-of-filth operating system called "windoze".

And considering that our taxes are paying for it, you'd think that the various governments would stop placing their systems and our tax dollars at risk by sticking to that outmoded OS.

Posted by: thardman | January 17, 2009 8:00 PM | Report abuse

"Trying to remove yet another virus from your Windows machine? Give up. Dump it and start computing securely with Linux. Safe and *free of charge*. See http://www.ubuntu.com/ . You'll wonder how you ever put up with *and paid so dearly for* Windoze.


Posted by: hairguy01 | January 17, 2009 11:22 AM

Dude, time to get a Mac! I love being able to wake up knowing that I'm safe(er).

Posted by: SprocketWD | January 17, 2009 11:22 AM "

I love you guys, always so quick to say us this or that OS and be safe. If we all used those the hackers would be ripping them apart as quickly and efficiently as they do Windows machines.

Posted by: grobinette | January 17, 2009 8:05 PM | Report abuse

Just an FYI, if you use Vista there is an autoplay tab in the Control Panel. That useful bit of info was kind of hard to find among all the instructions for XP.

Posted by: pj48 | January 17, 2009 9:37 PM | Report abuse

So grobinette, you've stopped fighting and just use an unpatched version of Windoze, is that right? Brilliant.

Posted by: hairguy01 | January 17, 2009 10:19 PM | Report abuse

The infection blocks users' access to sites whose URL's include character strings like "windowsupdate," "norton," "kaspersky," and even "castlecops." See the list at http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html

Although Castlecops has been shut down, many of the same volunteers are doing malware removal assistance at http://spywarehammer.com/
Unfortunately, Conficker blocks access to any URL with "spyware" in it, too. Some of the Spywarehammer volunteers can at least be contacted through http://ksforum.inboxrevenge.com/ , though that site doesn't actually have the malware removal forums that spywarehammer does.

Posted by: AlphaCentauri | January 18, 2009 9:41 AM | Report abuse

I am currently fighting this worm at work. One more trick it is doing is trying to hack AD password. It is trying to log on as Administrator, Operator, and ASPNET, as well as several user's accounts. If this is happening your AD server's security log will show thousand of failures. It has also been overwhelming the AD servers at the top of the hour at night.

Posted by: nicholb | January 18, 2009 5:27 PM | Report abuse

I think I got an early version of this thing back in November when I let someone use my computer and they didn't click carefully. Luckily, McAfee was able to quarantine it (at least it says it did) before it got very far. That is why I think it was an early version--this one seems much more aggressive. Really scary when you think what could be done with it. Almost makes me want to uplug...almost!

Posted by: demeter1216 | January 21, 2009 12:14 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company