Friday, January 16, 2009

Downadup Worm Races Onto Millions of PCs

The Win32.Worm.Downadup is raging across the Internet, using new tricks to spread undetected. The worm spreads by exploiting a vulnerability in the Windows RPC Server Service and has infected millions of Windows PCs in the last two weeks.

"From an estimated 2.4 million infected machines to over 8.9 million during the last four days," Toni Koivunen, an F-Secure researcher, wrote in the company's log. "That's just amazing."

According to Koivunen, there are several different variants of Downadup running wild. The algorithm to create the domain names changes a bit between the variants.

"We've been tracking the variant we believe to be most common [algorithm]. It creates 250 possible domains each day," he said. "We've registered some selected domains out of this pool and are monitoring the connections being made to them."

A Worm by Another Name

Also known as Conficker or Kido, the worm first appeared in late November, exploiting a vulnerability in Microsoft software to spread unhindered on local area networks. Its goal is to install rogue security software on infected computers.

Microsoft issued a patch for the vulnerability, but many users haven't installed it, leaving them open for infection as the worm spreads through portable USB flash drives.

"This malware exploits the fact that many people do not patch their systems," said Viorel Canja, head of BitDefender Anti-Malware Labs. "With its updated configuration and good protection scheme, this worm could become a rival to already established botnets like Storm or Srizbi."

Watch Those Thumb Drives

In late December, BitDefender Labs uncovered a new version of the worm called Win32.Worm.Downadup.B. The malware features some enhancements along with the distribution routine.

Specifically, the worm uses USB thumb drives to infect other computers. It does this by copying itself in a random folder created inside the recycler directory. The Recycle Bin uses the recycler directory to store deleted files and create an autorun.inf file in the root folder. When the Autorun feature is enabled, the worm executes automatically.

It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.

The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.
© 2009
see the original posting
Source :