Potential 'big badass botnet' spreading fast

Summary: F-Secure says the Microsoft-flaw-exploiting Downadup worm infected more than a million PCs on Wednesday. The company warns of a "big badass botnet" forming.

The 'Downadup' worm is spreading quickly and now infects more than 3.5 million PCs, according to the security company F-Secure.

In a blog post on Wednesday, F-Secure put the total number of infected machines at an estimated 3,521,230 — a rise of more than a million machines over the previous day's tally. The security firm bases its estimates on information it has gleaned by tapping into infected machines.

Downadup, which also goes by the name of Conficker, exploits a vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October. It executes a dictionary attack in order to try cracking user passwords, in the process locking user accounts out of the Active Directory domain. It emerged a week ago that Downadup can also infect USB sticks, thereby propagating on the client side.

F-Secure's chief research officer, Mikko Hyppönen, wrote in a blog post on Tuesday that the infected PCs had the potential to form "one big badass botnet". Hyppönen pointed out that the Downadup worm works by trying to connect to various web addresses. "If the worm finds an active web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines," he wrote.

"[Downadup] uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," Hyppönen wrote. "With this algorithm, the worm generates many possible domain names every day… This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever."

Hyppönen then said F-Secure had determined some domains that would be generated by Downadup, and registered them. It was through this method, which gave the firm access to the infected machines, that F-Secure has been able to determine the approximate number of victims.

"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," Hyppönen wrote. "A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life."

Graham Cluley, senior technology consultant at Sophos, told ZDNet UK on Thursday that "businesses should already have patched this vulnerability when the Microsoft patch came out some weeks ago". He urged those businesses that had not yet patched to do so as soon as possible, adding that companies should check laptops and USBs coming into the company, for example, by using a network access control (NAC) product.

Topics: Browser, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

39 comments
Log in or register to join the discussion
  • Wait a Minute..What OS Does It Exploit?? What OS??

    Yes, WINDOWS.

    Take that and stick in in your FUD pipe Loverock.
    itanalyst2@...
    • Which part of...

      Which part of "...patched since October" did you not understand? Did your beloved Linux/OS X not also have at least one severe vulnerability patched since October?

      The only thing it proves is that with Window's massive success, even a small percentage of unpatched systems are still enough to spread something like this.

      Now let that be a lesson to those that think they are "smart" by not paching OSes when they should. You know, "smart" people that turn off automaic updates.
      Qbt
      • You have to forgive him

        This guy is obsessed with me. Just like he mentioned me in his post, he follows me around on other talkbacks as well, and if I don't post he always asks for me. I think he's sick in the mind to be so obsessive over me, but it is a bit flattering.
        Loverock Davidson
        • Still Running From My Challenge Lovey?

          BAWK BAWK BAWK!!!
          itanalyst2@...
          • Mac OS 6.8 or Windows 3.11

            No network, no problem.
            phatkat
        • So long as he is not a Mark Chapman

          Watch your backside... He seems to be OS obsessed... I may not be a fan of Windows but I do enjoy the banter...
          agohige
      • And yet there are still at least

        3.5 million systems infected with more falling every hour... [url=http://blogs.zdnet.com/security/?p=2388]and if I am reading[/url] this correctly being patched isn't good enough... I am going back and read some more when I can... ]:)
        Linux User 147560
        • You are not reading it correctly

          Basically, bad wording on ZDNet's part:

          [i]...spreading through the now patched MS08-067..[/i]

          Should really be reworded to something like:

          [i]...spreading through systems that have not yet been patched with MS08-067...[/i]

          But I am sure that doesn't matter. What matters is making it sound as if Windows is just insecure, minimizing the fact that it has been patched months ago and that the sheer number of Windows systems makes even a small percentage of unpatched systems a worthwhile target.

          If you patch 90% of all Windows systems on the planet, there are still more unpatched Windows systems than there are OSX and Linux systems combined (talking about desktop here). I guess you need to be really dumb not to see why they keep going after Windows. If the idiots that turn off automatic updates would just get a wake-up slap, this would become much less of a problem.
          Qbt
          • So if...

            ...this was happening to Apple or Linux based systems it
            wold be because they are rubbish. Because its happening
            to the "bestest OS evah (tm)", it because the other two are
            rubbish and not "bestest OS evah (tm)". Nice logic. Yes
            GNU/Linux and Apple issue regular updates and patches,
            but Windows excels at it!!! Gentlemen, I give you patch
            Tuesday. NONE of the other OS are patch with that much
            regularity, and its not because they are slow or rubbish,
            quit the opposite, it's because the kernels a inherently
            more stable. Beside, with the market share Microsoft have,
            they [i]should[/i] do better.
            SimonUK
          • Ubuntu

            I get patched at least a couple of times a week on Ubuntu 8.04-LTS. The only time I ever noticed not getting patched was about a two week span over the past holiday season. But that doesn't mean the subsequent release (8.10) wasn't patched. Canonical does a great job of keeping supported releases of Ubuntu updated and secure.
            djchandler
          • This is such nonsense

            The idea that Mac systems are virus free is complete rubbish. I manage IT for a broadcast production company in London; we have a lot of contributors who are Mac users and often submit their data on USB flash drives or external drives - these drives are riddled with viruses. Mac systems are typically full of viruses; just because they aren't apparent to a Mac user doesn't make those systems any more secure, in fact, unknowingly transferring malcious viruses is even less secure. To pretend otherwise and sit there with the attitude, "Well, it doesn't effect MY system," is completely stupid. The minute one of those drives or infected documents is passed to the target platform, that system is vulnerable.

            It's the same thing as a moronic Windows user who doesn't use a virus scanner, wonders why their computer is SO slow and is ignorant to the fact that their system is part of a botnet; the viruses are there on a Mac system even if they remain undetected by the user and eventually they will be transmitted. All computer systems should have virus scanners, regardless of the platform.

            Also, what a tiresome nonsense it is to listen to users of a minority platform pretending the system is somehow more secure. Microsoft Windows is on at least 90% of the world's desktops; target a vulnerability and you're potentially effecting 90% of the world's computer users. Windows is obviously more exposed by the sheer size of its user base. Pretending that Mac OS X is some kind of invulnerable, ultra-hardened OS is just a joke. Frankly, you should find better things to do with your time.
            soneil66
          • What's needed to install a Linux virus on your computer.

            <p>
            <a href="http://talkback.zdnet.com/5208-9595-0.html?
            forumID=1&threadID=56532&messageID=1070705&start=-
            9966">
            Nothing to do with Marketshare link</a>
            </p>
            Joe.Smetona
          • If you patch *100%* of all Windows systems on the planet ..."

            They still won't be protected from future vulnerabilities until *after* an appropriate "patch" is written and subsequently applied.

            You can say that my chances of getting killed by lighting strike are --- statistically --- greater than getting killed from a skydiving accident (or getting my Windows system infected).

            Time out. I don't go skydiving, so the odds of my getting killed that way are ZERO.

            And, I don't do Windows. So, my chances of getting the Conficker worm are ZERO.

            But, hey, Swiss Cheese is still full of holes.

            Bwaaaa haaaa haaaa
            brian ansorge
          • But...

            What if a skydiver strikes (lands on top of, hits) you as you're walking down the road minding your own business. For that matter, even if you're in your car and the parachute obliterates your view and you subsequently crash, your chances aren't zero.

            Freakish things do happen.
            djchandler
      • Well...

        Flaws unexploited are not as much fun as flaws exploited. That and in case you (or Microsoft) have yet to notice, when "patch Tuesday" comes around those with the inclination are given more targets to aim for. After all, there are enough people in the Microsoft ecosystem that can't patch (for lots of valid reasons), or don't patch (for all sorts of reasons).

        Given Microsoft's vast human and financial resources, it is surprising that they churn out code that is so exploitable, both in the past and now. That they couple that with a giant neon sign called "patch Tuesday" that gives the message "hurt me now and hurt me often" so very loud and clear is just annoying.
        zkiwi
        • Management is the problem...

          When your management is hounding you to get it out on time... You tend to black box code. Reuse old code, get it done... Where is that mouse subroutine... I will use this one.
          Coders do not code from scratch anymore. They rely on blackbox code way too much.
          So you then get the same errors passed on to each OS... Each update and it never ends...
          How often do you remember patching DOS?
          agohige
      • We do not always patch.

        Too many times these patches break what is used. SP3 for XP made Vista look good. But 80% of the Software we run is not EVER going to be made for Vista. We use a solid AV/Firewall and have not had any problems. Some patches I tell my users to do, others I tell them forget it. We do not use IE7 - we went to Firefox. We are slowly dumping Microsoft all together. If I have to have users learn a new OS and Office suite, I might as well have them learn something Free, Faster, and keep the older hardware and $$$$ in the company.
        agohige
        • We do not always patch. You can run but not hide.

          Look at my first post, I,m Bill1William. What we are seeing is an attack on the predominate OS not MS in particular. It seems that most people think virus attacks are from crazies or people with an axe to grind. I have changed from that point of view. Now I think this is motivated by money. In either case when most people change OS as soon as the new OS is dominate the virus writers will follow. Who might profit from a virus? Antivirus companies, other OS companies, and others I can't think of right now. Most virus attacks use a feature of the OS or app meant to enhance the usability of the software. We want *.dll's but then some virus writer uses it as a way to mess up your computer.
          No I don't work for or even like MS but put the blame where it belongs, on the criminal.
          Bill1William
    • Windows Expolit

      There is not enough market share to justify writing
      stuff for Mac and Linux. As I write this post on my
      MacBook Pro, I hope Apple's market share stays that
      way. I do not fool myself into believing that my Mac
      is that much more secure than any other OS.
      MichaelWells
      • Why GNU/Linux Viruses are fairly uncommon (Joke) :-)

        "Why GNU/Linux Viruses are fairly uncommon" from
        Charlie Harvey
        evilmalware 0.6 (beta)

        Copyright 2000, 2001, 2003, 2005
        E\/17 |-|4><0|2z Software Foundation, Inc.

        This is free software; see the source for copying
        conditions. There is NO warranty; not even for
        MERCHANTABILITY, COMPLETE DESTRUCTION OF IMPORTANT
        DATA or FITNESS FOR A PARTICULAR PURPOSE (eg. sending
        thousands of Viagra spams to people accross the
        world).

        Basic Installation
        ==================

        Before attempting to compile this virus make sure you
        have the correct version of glibc installed, and that
        your firewall rules are set to `allow everything'.

        1. Put the attachment into the appropriate directory
        eg. /usr/src

        2. Type `tar xvzf evilmalware.tar.gz' to extract the
        source files for this virus.

        3. `cd' to the directory containing the virus's source
        code and type `./configure' to configure the virus for
        your system. If you're using `csh' on an old version
        of System V, you might need to type `sh ./configure'
        instead to prevent `csh' from trying to execute
        `configure' itself.

        4. Type `make' to compile the package. You may need to
        be logged in as root to do this.

        5. Optionally, type `make check_payable' to run any
        self-tests that come with the virus, and send a large
        donation to an unnumbered Swiss bank account.

        6. Type `make install' to install the virus and any
        spyware, trojans xxxxxxxxxxx, xxxxx xxxxxxxxxxx
        adverts and DDoS attacks that come with it.

        7. You may now configure your preferred malware
        behaviour in /etc/evilmalware.conf .

        SEE ALSO
        evilmalware(1), evilmalware.conf(5),
        please_delete_all_my_files(1)

        ***********
        Marketshare? -nothing at all to do with marketshare.
        Joe.Smetona