As a quick update from the information in Downadup Worm Infection: Cyber Attacks on the Rise in 2009 and Security and Hacking: Protect Thyself and Thy WordPress Blog concerning the still spreading Downadup worm, ComputerWorld and others are reporting that the Downadup worm now infects 1 in every 16 PCs for an estimated current total of over 9 million infections.
It now has its own Wikipedia page called Conficker as the worm is also known as Downup, Downadup, Conficker, and Kido.
According to the Wikipedia article, the computer work first appeared in October 2008 but spread fast after the first of the year. It specifically targets Microsoft Windows and Windows Server services using Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008. It has infected a few governments and hospitals, but mostly corporate computer networks.
On October 15, 2008 Microsoft released a patch to fix the bug. Heise Online estimated that it had infected 2.5 million PCs by January 15, 2009, while The Guardian estimated 3.5 million infected PCs. By January 16, 2009, an antivirus software vendor reported that Conficker had infected almost 9 million PCs making it one of the most widespread infections in recent times. Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have a Microsoft Windows patch released in October 2008.
The virus can spread through websites and USB drives, like flash drives, cameras, portable hard drives, and other USB connecting devices that trigger AutoRun, so Microsoft is recommending people upgrade their Windows programs and turn off AutoRun.
There are now removal services available:
- Microsoft Malware Remove
- F-Secure – ISTP and F-Downadup Removal Tool
- W32. Downadup Remover by Symantec
F-Secure calls the Downadup worm “Social Engineering Autoplay” since it is the social nature of the web and autoplay devices that makes this worm so effective. The ease of sharing media and files across thumb/flash drives, cameras, and other USB devices that recognize and activate through Autoplay makes this worm especially virulent.
In an interesting series of articles by F-Secure, they describe the numbers and actions the Downadup worm takes on its way to spread its infection.
In How Big is Downadup? Very Big., they describe how it spreads:
Downadup worms attempt to call home. They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.
…Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.
Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.
…This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.
The tracking of all the statistics associated with the Downadup worm to make their world-wide estimates is also fascinating. In Preemptive Blocklist and More Downadup Numbers, they stated that their calculation for that day was “8,976,038 infections worldwide and 353,495 unique IP addresses.”
Explaining how they calculate the Size of the Downadup outbreak, they explain:
The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That’s just amazing.
We’ve received a number of queries on just how exactly we’re producing our estimates.
…There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We’ve been tracking the variant we believe to be most common. It creates 250 possible domains each day. We’ve registered some selected domains out of this pool and are monitoring the connections being made to them.
It will be interesting to see if the word gets out and people protect themselves fast enough, or this number keeps rising. This particular worm is definitely changing the way the online security world is paying attention to viruses and worms, and how they are tracking them.
Fake Obama Sites Alert
Phishing and spoofing is on the rise. WordPress was recently faked with a malicious site taking advantage of a misspelling in the domain name for WordPress. Now, Barak Obama fake websites are on the rise.
Some are annoying ad sites, but others have malicious software. Take care to pay close attention to how you spell a domain name if you are typing it in manually, and look very closely for fraud and fakes.
Have We Gotten Complacent?
With the growing ease at virus protection integrated into our computers, have we gotten complacent? Have we forgot how dangerous it can be out there, especially since so many applications make the Internet experience so easy?
For a long time, many people’s quick answer was to move to Mac or Linux or some lesser known operating system. Unfortunately, Mac has been the target of a growing number of viruses and hackers. Other systems also suffer from security vulnerabilities which open the door to potential exploits. While Windows has long been the target, if you are infected, it only takes one to make your life miserable for a while.
Web viruses and worms are especially dangerous as they may soon creep in through the browser and attack without caring which operating system you are running.
There is also no excuse for those who use ridiculous passwords like “password” and “username.”
Expect major changes and increased awareness this year due to the Downadup/Conficker worm, especially if they can’t shut it down totally and it continues to spread and mutate.
In the next issue in my series on blog security and cyber attacks, I’ll tell you how to report a cyber crime.