Potential 'big badass botnet' spreading fast
Summary: F-Secure says the Microsoft-flaw-exploiting Downadup worm infected more than a million PCs on Wednesday. The company warns of a "big badass botnet" forming.
In a blog post on Wednesday, F-Secure put the total number of infected machines at an estimated 3,521,230 — a rise of more than a million machines over the previous day's tally. The security firm bases its estimates on information it has gleaned by tapping into infected machines.
Downadup, which also goes by the name of Conficker, exploits a vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October. It executes a dictionary attack in order to try cracking user passwords, in the process locking user accounts out of the Active Directory domain. It emerged a week ago that Downadup can also infect USB sticks, thereby propagating on the client side.
F-Secure's chief research officer, Mikko Hyppönen, wrote in a blog post on Tuesday that the infected PCs had the potential to form "one big badass botnet". Hyppönen pointed out that the Downadup worm works by trying to connect to various web addresses. "If the worm finds an active web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines," he wrote.
"[Downadup] uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," Hyppönen wrote. "With this algorithm, the worm generates many possible domain names every day… This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever."
Hyppönen then said F-Secure had determined some domains that would be generated by Downadup, and registered them. It was through this method, which gave the firm access to the infected machines, that F-Secure has been able to determine the approximate number of victims.
"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," Hyppönen wrote. "A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life."
Graham Cluley, senior technology consultant at Sophos, told ZDNet UK on Thursday that "businesses should already have patched this vulnerability when the Microsoft patch came out some weeks ago". He urged those businesses that had not yet patched to do so as soon as possible, adding that companies should check laptops and USBs coming into the company, for example, by using a network access control (NAC) product.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Wait a Minute..What OS Does It Exploit?? What OS??
Take that and stick in in your FUD pipe Loverock.
Which part of...
The only thing it proves is that with Window's massive success, even a small percentage of unpatched systems are still enough to spread something like this.
Now let that be a lesson to those that think they are "smart" by not paching OSes when they should. You know, "smart" people that turn off automaic updates.
You have to forgive him
Still Running From My Challenge Lovey?
Mac OS 6.8 or Windows 3.11
So long as he is not a Mark Chapman
And yet there are still at least
You are not reading it correctly
[i]...spreading through the now patched MS08-067..[/i]
Should really be reworded to something like:
[i]...spreading through systems that have not yet been patched with MS08-067...[/i]
But I am sure that doesn't matter. What matters is making it sound as if Windows is just insecure, minimizing the fact that it has been patched months ago and that the sheer number of Windows systems makes even a small percentage of unpatched systems a worthwhile target.
If you patch 90% of all Windows systems on the planet, there are still more unpatched Windows systems than there are OSX and Linux systems combined (talking about desktop here). I guess you need to be really dumb not to see why they keep going after Windows. If the idiots that turn off automatic updates would just get a wake-up slap, this would become much less of a problem.
So if...
wold be because they are rubbish. Because its happening
to the "bestest OS evah (tm)", it because the other two are
rubbish and not "bestest OS evah (tm)". Nice logic. Yes
GNU/Linux and Apple issue regular updates and patches,
but Windows excels at it!!! Gentlemen, I give you patch
Tuesday. NONE of the other OS are patch with that much
regularity, and its not because they are slow or rubbish,
quit the opposite, it's because the kernels a inherently
more stable. Beside, with the market share Microsoft have,
they [i]should[/i] do better.
Ubuntu
This is such nonsense
It's the same thing as a moronic Windows user who doesn't use a virus scanner, wonders why their computer is SO slow and is ignorant to the fact that their system is part of a botnet; the viruses are there on a Mac system even if they remain undetected by the user and eventually they will be transmitted. All computer systems should have virus scanners, regardless of the platform.
Also, what a tiresome nonsense it is to listen to users of a minority platform pretending the system is somehow more secure. Microsoft Windows is on at least 90% of the world's desktops; target a vulnerability and you're potentially effecting 90% of the world's computer users. Windows is obviously more exposed by the sheer size of its user base. Pretending that Mac OS X is some kind of invulnerable, ultra-hardened OS is just a joke. Frankly, you should find better things to do with your time.
What's needed to install a Linux virus on your computer.
<a href="http://talkback.zdnet.com/5208-9595-0.html?
forumID=1&threadID=56532&messageID=1070705&start=-
9966">
Nothing to do with Marketshare link</a>
</p>
If you patch *100%* of all Windows systems on the planet ..."
You can say that my chances of getting killed by lighting strike are --- statistically --- greater than getting killed from a skydiving accident (or getting my Windows system infected).
Time out. I don't go skydiving, so the odds of my getting killed that way are ZERO.
And, I don't do Windows. So, my chances of getting the Conficker worm are ZERO.
But, hey, Swiss Cheese is still full of holes.
Bwaaaa haaaa haaaa
But...
Freakish things do happen.
Well...
Given Microsoft's vast human and financial resources, it is surprising that they churn out code that is so exploitable, both in the past and now. That they couple that with a giant neon sign called "patch Tuesday" that gives the message "hurt me now and hurt me often" so very loud and clear is just annoying.
Management is the problem...
Coders do not code from scratch anymore. They rely on blackbox code way too much.
So you then get the same errors passed on to each OS... Each update and it never ends...
How often do you remember patching DOS?
We do not always patch.
We do not always patch. You can run but not hide.
No I don't work for or even like MS but put the blame where it belongs, on the criminal.
Windows Expolit
stuff for Mac and Linux. As I write this post on my
MacBook Pro, I hope Apple's market share stays that
way. I do not fool myself into believing that my Mac
is that much more secure than any other OS.
Why GNU/Linux Viruses are fairly uncommon (Joke) :-)
Charlie Harvey
evilmalware 0.6 (beta)
Copyright 2000, 2001, 2003, 2005
E\/17 |-|4><0|2z Software Foundation, Inc.
This is free software; see the source for copying
conditions. There is NO warranty; not even for
MERCHANTABILITY, COMPLETE DESTRUCTION OF IMPORTANT
DATA or FITNESS FOR A PARTICULAR PURPOSE (eg. sending
thousands of Viagra spams to people accross the
world).
Basic Installation
==================
Before attempting to compile this virus make sure you
have the correct version of glibc installed, and that
your firewall rules are set to `allow everything'.
1. Put the attachment into the appropriate directory
eg. /usr/src
2. Type `tar xvzf evilmalware.tar.gz' to extract the
source files for this virus.
3. `cd' to the directory containing the virus's source
code and type `./configure' to configure the virus for
your system. If you're using `csh' on an old version
of System V, you might need to type `sh ./configure'
instead to prevent `csh' from trying to execute
`configure' itself.
4. Type `make' to compile the package. You may need to
be logged in as root to do this.
5. Optionally, type `make check_payable' to run any
self-tests that come with the virus, and send a large
donation to an unnumbered Swiss bank account.
6. Type `make install' to install the virus and any
spyware, trojans xxxxxxxxxxx, xxxxx xxxxxxxxxxx
adverts and DDoS attacks that come with it.
7. You may now configure your preferred malware
behaviour in /etc/evilmalware.conf .
SEE ALSO
evilmalware(1), evilmalware.conf(5),
please_delete_all_my_files(1)
***********
Marketshare? -nothing at all to do with marketshare.