Tricky Windows Worm Wallops Millions
A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn.
Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites -- there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software.
The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and 8.9 million computers during the last four days alone.
If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed.
One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network.
But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective.
Security experts say the worm instructs infected hosts each day to visit one or more of about 250 potential control servers -- basically, pseudo-random domain names -- in order to download instructions or malicious software updates from the worm's authors. With such a system, security experts would have to register all 250 domains each day in order to kill off the worm, a costly and untenable solution. In contrast, the worm authors need only register one of those 250 domains to update all infected systems with new instructions and software.
F-Secure arrived at its infection estimates by registering a number of those domains, and then watching to see how many infected systems would try to contact the control servers. In addition to counting the number of bots reporting in for duty, researchers found another way to count victim PCs: Turns out, each infected host reporting to the control server is configured to report the number of Windows systems it has succeeded in infecting.
Some experts say F-Secure's estimates are grossly inflated. Paul Royal, chief scientist for Damballa, an Atlanta-based security firm that has conducted similar tests by registering some of the domains Downadup hosts are seeking, estimates the total number of infected systems to be between 500,000 and one million.
"It's not as though their extrapolation methodology sounds unreasonable, it's not consistent with what we're seeing in terms of volume of hosts hitting" the control servers, Royal said.
But Roel Schouwenberg, senior antivirus researcher with Kaspersky Lab Americas, said F-Secure's estimates were probably lower than the actual number of infected systems. He said that's in part because infected systems reporting the number of machines they have in turn infected only count those that have been infested using the Microsoft flaw.
"The model they are using is, as they say, conservative. The actual number of machines that have been infected should have been higher," Schouwenberg said. "As I believe that the importance of the other replication methods is currently undervalued we could be looking at 10 million compromised machines easily."
Regardless, even if the worm authors of Downadup only control a half million PCs, that would far eclipse the size of the largest known collection of hacked PCs on the planet (see Meet the New Bots: Will We Get Fooled Again, for a look at this year's most massive and sophisticated botnets.)
So what diabolical plans does this worm have in store for host systems? Such a network certainly would make a very effective spamming machine for junk e-mail artists, but Damballa's Royal said there are no signs that the infected systems are being used for spam. Rather, he said, it appears the worm and its subsequent variants may have been created for no other purpose than to generate income for people who get paid to install rogue anti-virus software, so-called "scareware" products like "AntivirusXP2009," and "VirusRemover2009."
Royal said the original control server for Downadup used a Web service that also was used by a large number of sites that pushed rogue anti-virus products.
"Plus, the original downloader file installed [by the worm] looked suspiciously like the names of the rogue anti-virus installers we've seen," Royal said. "That strongly indicates that at the top of this pyramid is someone trying to make a lot of money from rogue anti-virus software sales."
It is likely that Microsoft itself will play a major part in cleaning up after this worm. As part of its regular Patch Tuesday cycle this week, Microsoft added Downadup to its "malicious software removal tool" (MSRT), an optional component that can scan for and remove some of the most prevalent threats in circulation today.
Windows users also can reduce their exposure to this worm and other malware that piggybacks on USB drives and other removable media by turning off the Autoplay feature in Windows. I included instructions for doing this in a recent blog post.Microsoft also has instructions for doing this here and here.
January 16, 2009; 6:12 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , Web Fraud 2.0
Save & Share: Previous: Microsoft Plugs Three Windows Security Holes
Next: Move Over, Client #9
Posted by: MrBomato | January 16, 2009 7:20 PM | Report abuse
Posted by: fiercesome | January 17, 2009 1:11 AM | Report abuse
Posted by: cmckeonjr | January 17, 2009 3:35 AM | Report abuse
Posted by: Pablo01 | January 17, 2009 9:12 AM | Report abuse
Posted by: SprocketWD | January 17, 2009 11:22 AM | Report abuse
Posted by: hairguy01 | January 17, 2009 11:22 AM | Report abuse
Posted by: NMremote | January 17, 2009 2:43 PM | Report abuse
Posted by: mdsails | January 17, 2009 4:22 PM | Report abuse
Posted by: georgethornton1 | January 17, 2009 5:40 PM | Report abuse
Posted by: ericy | January 17, 2009 7:22 PM | Report abuse
Posted by: thardman | January 17, 2009 8:00 PM | Report abuse
Posted by: grobinette | January 17, 2009 8:05 PM | Report abuse
Posted by: pj48 | January 17, 2009 9:37 PM | Report abuse
Posted by: hairguy01 | January 17, 2009 10:19 PM | Report abuse
Posted by: AlphaCentauri | January 18, 2009 9:41 AM | Report abuse
Posted by: nicholb | January 18, 2009 5:27 PM | Report abuse
Posted by: demeter1216 | January 21, 2009 12:14 AM | Report abuse
The comments to this entry are closed.