Downadup Worm Infection: Cyber Attacks on the Rise in 2009

Filed as Features on January 16, 2009 12:53 am

SecurityFocus reports an estimated 3.5 million computers have been compromised due to a “Downadup worm,” a malicious bot that spreads through websites and blogs.

The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5 million computers, security firm F-Secure stated this week.

The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise computers running unpatched versions of the Windows operating system. However, the malicious program’s greatest strength appears to be a feature that allows worm-controlled computers to download malicious code from a random drop point.

The program generates addresses for 250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the bot program with different functionality, said Mikko Hyppönen, chief research officer at F-Secure.

“The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines — pretty clever,” Hyppönen said in a blog post.

According to the report, the Downadup worm uses Windows XP’s vulnerability in processing remote procedure call (RPC) requests. While a patch was issued and warnings announced, not everyone has upgraded. The top countries hit by the MS08-067 Worms, as F-Secure calls them, are China, Brazil, and Russia, but it is expected to spread further unless server administrators and webmasters update and patch their Windows Servers and Windows programs immediately, including Internet Explorer.

ZD-Net Security Threats reports that the first sign of infection is usually found when users accounts cannot access their accounts and they are locked out of the Active Directory domain as the worm tries to crack passwords in Windows Servers.

Tracking the Downadup infection, F-Secure reported that reports of infections are up by more than one million within just one day, and growing. As last check, they estimate 3,521,230 infections worldwide.

The Growth of Website Vulnerabilities

The time wasters and evil doers of the the world have not slowed down, in spite of increased vigilance and improved software for detection and prevention. Security exploits are big business for many, especially for those intent in spreading spam and revenue generating, invasive links and SEO manipulation.

Recently, LinkedIn and Twitter were the target. SecurityFocus reported on malware security problems with the popular social media tools, with the Blog Herald covering the news, too.

In 2008, ProSecurity Zone and many others reported that there would be a dramatic increase in security exploits that target social media tools. They said that according to security experts at Grisoft, developer of the AVG Antivirus and Security Software:

According to the team, viruses made up some 15 percent of the threat landscape in 2007, consistent with the company’s predictions at the end of 2006; phishing scams, backdoor worms, trojans, keyloggers, spyware, adware and other web-based exploits comprised the majority of threats…

“The anti-virus industry has been in a transition period the past two to three years as malware has morphed from simple viruses to complex malicious website hacks that combine exploits and social engineering to scam unsuspecting users of their data,” said Bridwell. “As 2008 ushers in new security issues and challenges, Internet users need to boost their anti-malware defences with safe surfing tools like AVG LinkScanner that detect and stop web exploits in real time.”

Unlike traditional malware such as viruses or trojans that are created by thrill-seeking programmers and computer geeks trying to create chaos, exploits are a fast-growing category of crimeware applications used by criminal cyber-gangs to steal digital assets for financial gain. Exploits are usually delivered in the form of drive-by downloads intended to take advantage of unpatched computer vulnerabilities.

In December 2008, a malicious virus called Hack.Exploit.Script.JS.Agent.ic spread through the Internet from websites and specifically targeted a vulnerability in Internet Explorer. Most of the effected sights were in China, but these viruses can easily cross borders.

Even online security experts are impacted by these insidious attacks. In “Security Researchers Embarrassed After Successful Hackers Attack” by CyberInsecure, one such security expert had their block hacked:

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

In their end of the year report for 2008, F-Secure reported that the total amount of malware accumulated over the past 21 years “increased by 200% in the course of just one year.”

Criminal activity for financial gain remains the driver for the massive increase in Internet threats. Today’s malware is produced by highly organized criminal gangs using increasingly sophisticated techniques. This year has seen increasing botnet activity around the world. These remotely controlled networks of infected computers remain a major challenge to the IT security industry because it is their vast computing power that is behind the unprecedented level of spam e-mail and malware distribution.

They report that most of the security issues and attacks are coming from China, though attacks were made on famous sites such as the US presidential campaigns and government agencies. They also stated that “malware even went into space as an online games password-stealer made its way onto the International Space Station on an infected laptop.”

Part of the problem is prosecuting the criminals. While there are laws in place for identity theft, stolen credit cards, and other Internet related attacks, unless they steal, most attacks are considered malicious rather than criminal. Expect this to change soon, they say, as F-Secure and other major businesses are calling for the establishment of an “Internetpol” to tackle online crime.

In my next post on this issue, I’ll look at the security issues facing WordPress bloggers, but remember this, no one is immune. Everyone is vulnerable to a cyber-attack. We must be vigilent and aware, and protect our privacy and safety when we play and work online.

Has your blog been hacked? Have you been a victim of cyber-crime? Had your computer infected with a virus? What are you doing to protect yourself online? What do you think the government should do to punish the growing industry of cyber-crime?

Tags: , , , , , , , , , , , , , , , , , , , ,

This post was written by

You can visit the for a short bio, more posts, and other information about the author.


Submissions & Subscriptions

Submit the post to Reddit, StumbleUpon, Digg or Del.icio.us.

Did you like it? Then subscribe to our RSS feed!



  1. By Miroslav Glavic posted on January 16, 2009 at 9:29 am
    Want an avatar? Get a gravatar! • You can link to this comment

    How do I find out about the cyberlaws in Canada (not everyone is in the USA). It would be interesting to compare the punishments cyber criminals get.

    USA and Canada have almost same levels of laws (municipal, provincial – state for you, federal)……I wonder which level of laws would apply.
    The what if you get attacked from let’s say Vietnam (nothing against Vietnam, I just picked a random country in Asia), does American law apply ot Vietnamese law apply? Which police would get involved?.

    Reply

    • By Lorelle VanFossen posted on January 16, 2009 at 9:36 pm
      Want an avatar? Get a gravatar! • You can link to this comment

      @Miroslav: Cyberlaw Encyclopedia and Cybercrime Law are just two of the many sites I found that talk about International, and Canada-specific laws dealing with cybercrimes.

      To answer the second question, it depends upon what you mean by “attacked.” Widespread attacks are left to the governments or international agencies that fight against such attackers, and I’m not sure how that works currently. Good question.

      If someone attacks you directly with a targeted attack, you MUST report it immediately to your local authorities. They will work with the appropriate agencies to track down the offender, if they can. The international nature of the web makes this complicated, which is why there is a call for an “Internetpol” agency to cross those borders to stop such attackers.

      @Mathew: Old joke. The reality is that there is nothing safe from anyone who wants in bad enough and has the time and motivation to figure out how. Many companies have put their best and most secure products out on the line only to have someone break into them within a short time. Few things are that secure, and if they are, you probably couldn’t afford them. :D Mac, long touted as the most secure consumer product, has had a viruses and attacks in recent years, especially with the widespread adoption of iPods, iPhones, and Mac laptops coming back into fashion. There have been attacks against Linux and other services, though not as widespread or public as Windows, which is the most common operating system in the world.

      Reply

  2. By Matthew posted on January 16, 2009 at 11:58 am
    Want an avatar? Get a gravatar! • You can link to this comment

    Best thing to do to protect yourself and your computer? Stop running Windows, of course! ;-P

    I’ve used Linux exclusively for the last two years without a problem, and recently purchased a Macbook. The webhost I use is on Linux servers, and I keep my site software (WordPress, plugins, et. al.) up to date. No problems so far in the almost-three years I’ve been there.

    The problem is that the OS (Microsoft Windows) is Defective By Design. Get a secure OS and you’ll have a lot less problems.

    Reply

  3. By Celeste Schwartz posted on January 16, 2009 at 5:39 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    I am interested in Miroslav’s question as well. It won’t be long before someone figures out that there is time and productivity lost to this malicious behavior, and that it should be prosecuted. But with hackers all over the world–often in more than one country per incident–who could set the standards and enforce them?

    Reply

  4. By Matthew posted on January 16, 2009 at 6:10 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Re: Miroslav and Celeste

    United States law does not apply to foreign nationals whose actions take place on foreign soil. In instances of cyber crime, for instance, the only recourse is for the United States’s government and law enforcement officials to collaborate with foreign law enforcement to bring criminals to justice.

    This happens on a regular basis with European agencies, but that is not the case with China, where the majority of cyber attacks aimed at the United States originate. I’m not familiar with Vietnam’s laws, but to use your example, our law enforcement officials (usually the FBI in relation to cyber crimes) would contact Vietnam and convince them to arrest the perpetrator.

    Suffice it to say that justice is rarely served.

    Reply

  5. By Matthew posted on January 16, 2009 at 10:20 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Re: Lorelle

    True, true. The only secure computer is one that doesn’t exist ;-)

    Still, security being relative, there are some steps that can be taken and some tools that can be used that provide a greater degree of security. I trust in the ideas and foundation of Unix far more than I do Microsoft products.

    Reply

  6. By Phil Barnhart posted on January 19, 2009 at 8:33 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Not only can this virus disrupt your PC, since it can disable your ability to connect to software update sites it leaves you vulnerable to even more malware. You need to disable AutoPlay as well as patch your PC.

    Reply

  7. By Oingo Boingo posted on November 24, 2009 at 12:41 am
    Want an avatar? Get a gravatar! • You can link to this comment

    I have shaw secure which in basicly from F-Secure and there have recently been reports of the infection trying to attack my computer. I’m running on windows xp.

    Reply

    Your words are your own, so be nice and helpful if you can. If this is the first time you're posting a comment, it might go into moderation. Don't worry, it's not lost, so there's no need to repost it! We accept clean XHTML in comments, but don't overdo it please.

    Current ye@r *