Downadup Spreads – Infects 1 in 16 PCs

Filed as Features on January 21, 2009 8:57 pm

As a quick update from the information in Downadup Worm Infection: Cyber Attacks on the Rise in 2009 and Security and Hacking: Protect Thyself and Thy WordPress Blog concerning the still spreading Downadup worm, ComputerWorld and others are reporting that the Downadup worm now infects 1 in every 16 PCs for an estimated current total of over 9 million infections.

It now has its own Wikipedia page called Conficker as the worm is also known as Downup, Downadup, Conficker, and Kido.

According to the Wikipedia article, the computer work first appeared in October 2008 but spread fast after the first of the year. It specifically targets Microsoft Windows and Windows Server services using Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008. It has infected a few governments and hospitals, but mostly corporate computer networks.

On October 15, 2008 Microsoft released a patch to fix the bug. Heise Online estimated that it had infected 2.5 million PCs by January 15, 2009, while The Guardian estimated 3.5 million infected PCs. By January 16, 2009, an antivirus software vendor reported that Conficker had infected almost 9 million PCs making it one of the most widespread infections in recent times. Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have a Microsoft Windows patch released in October 2008.

The virus can spread through websites and USB drives, like flash drives, cameras, portable hard drives, and other USB connecting devices that trigger AutoRun, so Microsoft is recommending people upgrade their Windows programs and turn off AutoRun.

There are now removal services available:

F-Secure calls the Downadup worm “Social Engineering Autoplay” since it is the social nature of the web and autoplay devices that makes this worm so effective. The ease of sharing media and files across thumb/flash drives, cameras, and other USB devices that recognize and activate through Autoplay makes this worm especially virulent.

In an interesting series of articles by F-Secure, they describe the numbers and actions the Downadup worm takes on its way to spread its infection.

In How Big is Downadup? Very Big., they describe how it spreads:

Downadup worms attempt to call home. They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.

…Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.

Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.

…This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

The tracking of all the statistics associated with the Downadup worm to make their world-wide estimates is also fascinating. In Preemptive Blocklist and More Downadup Numbers, they stated that their calculation for that day was “8,976,038 infections worldwide and 353,495 unique IP addresses.”

Explaining how they calculate the Size of the Downadup outbreak, they explain:

The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That’s just amazing.

We’ve received a number of queries on just how exactly we’re producing our estimates.

…There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We’ve been tracking the variant we believe to be most common. It creates 250 possible domains each day. We’ve registered some selected domains out of this pool and are monitoring the connections being made to them.

It will be interesting to see if the word gets out and people protect themselves fast enough, or this number keeps rising. This particular worm is definitely changing the way the online security world is paying attention to viruses and worms, and how they are tracking them.

Fake Obama Sites Alert

Phishing and spoofing is on the rise. WordPress was recently faked with a malicious site taking advantage of a misspelling in the domain name for WordPress. Now, Barak Obama fake websites are on the rise.

Some are annoying ad sites, but others have malicious software. Take care to pay close attention to how you spell a domain name if you are typing it in manually, and look very closely for fraud and fakes.

Have We Gotten Complacent?

With the growing ease at virus protection integrated into our computers, have we gotten complacent? Have we forgot how dangerous it can be out there, especially since so many applications make the Internet experience so easy?

With the recent password hacks in Twitter due to the use of weak passwords, we have to be more serious about how we protect ourselves, passwords, and blogs.

For a long time, many people’s quick answer was to move to Mac or Linux or some lesser known operating system. Unfortunately, Mac has been the target of a growing number of viruses and hackers. Other systems also suffer from security vulnerabilities which open the door to potential exploits. While Windows has long been the target, if you are infected, it only takes one to make your life miserable for a while.

Web viruses and worms are especially dangerous as they may soon creep in through the browser and attack without caring which operating system you are running.

There is also no excuse for those who use ridiculous passwords like “password” and “username.”

Expect major changes and increased awareness this year due to the Downadup/Conficker worm, especially if they can’t shut it down totally and it continues to spread and mutate.

In the next issue in my series on blog security and cyber attacks, I’ll tell you how to report a cyber crime.

Article Series on Blog Security and Cyber Attacks

Tags: , , , , , , , , , , ,

This post was written by

You can visit the for a short bio, more posts, and other information about the author.


Submissions & Subscriptions

Submit the post to Reddit, StumbleUpon, Digg or Del.icio.us.

Did you like it? Then subscribe to our RSS feed!



  1. By Bleuken posted on January 21, 2009 at 11:14 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    I agree that people should be very aware of this kind of security of vulnerabilities. Usually this is the reason why many are infected, neglecting security patch updates and “weak passwords”, thinking that they don’t have responsibilities for their own system and leave it all to the anti-viruses. Beware and be aware, that’s what they should!

    Reply

  2. By Chrisie99 posted on January 22, 2009 at 12:04 am
    Want an avatar? Get a gravatar! • You can link to this comment

    This is really a concern for all of us and I will do my part sharing it with others. There are so many people ussing the internet like crazy and having no general knowlidge about what may happen. So for “cyber geniuses” this is a real opportunitty or a challenge when they face more clever users. I don’t know, I am far from being a pro in this kind of subjects so I consider it’s also about luck when comes to something really ingenious, since we can’t just rely on the anti-viruses. When they start to take actions means that a damage it’s already done somewhere. Am I wrong ?

    Reply

  3. By Extremesecurity posted on January 22, 2009 at 4:15 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    Did Downadup/conficker attack your network? I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.

    check it out here: Beat downadupconficker.

    Reply

  4. By usb pendrive posted on January 27, 2010 at 3:51 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    I’m normally only use portable tools (free!) to remove virus threats! so my twitter account has also attacked!

    Reply

    Your words are your own, so be nice and helpful if you can. If this is the first time you're posting a comment, it might go into moderation. Don't worry, it's not lost, so there's no need to repost it! We accept clean XHTML in comments, but don't overdo it please.

    Current day month ye@r *