SecurityFocus reports an estimated 3.5 million computers have been compromised due to a “Downadup worm,” a malicious bot that spreads through websites and blogs.
The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5 million computers, security firm F-Secure stated this week.
The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise computers running unpatched versions of the Windows operating system. However, the malicious program’s greatest strength appears to be a feature that allows worm-controlled computers to download malicious code from a random drop point.
The program generates addresses for 250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the bot program with different functionality, said Mikko Hyppönen, chief research officer at F-Secure.
“The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines — pretty clever,” Hyppönen said in a blog post.
According to the report, the Downadup worm uses Windows XP’s vulnerability in processing remote procedure call (RPC) requests. While a patch was issued and warnings announced, not everyone has upgraded. The top countries hit by the MS08-067 Worms, as F-Secure calls them, are China, Brazil, and Russia, but it is expected to spread further unless server administrators and webmasters update and patch their Windows Servers and Windows programs immediately, including Internet Explorer.
ZD-Net Security Threats reports that the first sign of infection is usually found when users accounts cannot access their accounts and they are locked out of the Active Directory domain as the worm tries to crack passwords in Windows Servers.
Tracking the Downadup infection, F-Secure reported that reports of infections are up by more than one million within just one day, and growing. As last check, they estimate 3,521,230 infections worldwide.
The Growth of Website Vulnerabilities
The time wasters and evil doers of the the world have not slowed down, in spite of increased vigilance and improved software for detection and prevention. Security exploits are big business for many, especially for those intent in spreading spam and revenue generating, invasive links and SEO manipulation.
Recently, LinkedIn and Twitter were the target. SecurityFocus reported on malware security problems with the popular social media tools, with the Blog Herald covering the news, too.
In 2008, ProSecurity Zone and many others reported that there would be a dramatic increase in security exploits that target social media tools. They said that according to security experts at Grisoft, developer of the AVG Antivirus and Security Software:
According to the team, viruses made up some 15 percent of the threat landscape in 2007, consistent with the company’s predictions at the end of 2006; phishing scams, backdoor worms, trojans, keyloggers, spyware, adware and other web-based exploits comprised the majority of threats…
“The anti-virus industry has been in a transition period the past two to three years as malware has morphed from simple viruses to complex malicious website hacks that combine exploits and social engineering to scam unsuspecting users of their data,” said Bridwell. “As 2008 ushers in new security issues and challenges, Internet users need to boost their anti-malware defences with safe surfing tools like AVG LinkScanner that detect and stop web exploits in real time.”
Unlike traditional malware such as viruses or trojans that are created by thrill-seeking programmers and computer geeks trying to create chaos, exploits are a fast-growing category of crimeware applications used by criminal cyber-gangs to steal digital assets for financial gain. Exploits are usually delivered in the form of drive-by downloads intended to take advantage of unpatched computer vulnerabilities.
In December 2008, a malicious virus called Hack.Exploit.Script.JS.Agent.ic spread through the Internet from websites and specifically targeted a vulnerability in Internet Explorer. Most of the effected sights were in China, but these viruses can easily cross borders.
Even online security experts are impacted by these insidious attacks. In “Security Researchers Embarrassed After Successful Hackers Attack” by CyberInsecure, one such security expert had their block hacked:
Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.
In their end of the year report for 2008, F-Secure reported that the total amount of malware accumulated over the past 21 years “increased by 200% in the course of just one year.”
Criminal activity for financial gain remains the driver for the massive increase in Internet threats. Today’s malware is produced by highly organized criminal gangs using increasingly sophisticated techniques. This year has seen increasing botnet activity around the world. These remotely controlled networks of infected computers remain a major challenge to the IT security industry because it is their vast computing power that is behind the unprecedented level of spam e-mail and malware distribution.
They report that most of the security issues and attacks are coming from China, though attacks were made on famous sites such as the US presidential campaigns and government agencies. They also stated that “malware even went into space as an online games password-stealer made its way onto the International Space Station on an infected laptop.”
Part of the problem is prosecuting the criminals. While there are laws in place for identity theft, stolen credit cards, and other Internet related attacks, unless they steal, most attacks are considered malicious rather than criminal. Expect this to change soon, they say, as F-Secure and other major businesses are calling for the establishment of an “Internetpol” to tackle online crime.
In my next post on this issue, I’ll look at the security issues facing WordPress bloggers, but remember this, no one is immune. Everyone is vulnerable to a cyber-attack. We must be vigilent and aware, and protect our privacy and safety when we play and work online.
Has your blog been hacked? Have you been a victim of cyber-crime? Had your computer infected with a virus? What are you doing to protect yourself online? What do you think the government should do to punish the growing industry of cyber-crime?