Linux Solutions

Remember the film Tremors? You know that’s the one where these big worms slithered around eating people – well this is like that…expect its your PC that’s getting eaten this time.

Downadup, or Conficker as it’s also known, is a Superworm that has reportedly been attacking a patched vulnerability in Microsoft Windows, with a reported 6.5 million new infections in the past 4 days alone, bringing the total to an estimated 9 million machines infected.

The numbers are but an estimate, and security researchers say the numbers could be inflated by security company F-Secure, as it’s near impossible to ascertain the exact amount of infections.

“This thing has gotten way out of hand,” said Paul Ferguson, a security researcher for anti-virus provider Trend Micro who has spent the past several weeks tracking the worm’s progress. “It seems pretty spectacular to me that there could be that much growth.”

There are a number of factors contributing to the worm’s growth. The Windows vulnerability allows for self replicating attacks in 2000, XP and Server 2003 version of the software, and the virus has been designed to exploit flash and network drives allowing it to spread across a local network at worrying pace even if just one computer is affected.

A large factor that has allowed the worm to grow is because of stubborn data managers and administrators of Windows-based systems who failed to listen to the warnings and download a security update. Microsoft released a patch to combat the worm over three months ago, but nearly one in three machines have not downloaded it, according to security company Qualys.

If the 9 million infected machines sounds exaggerated, it probably is. According to Paul Royal, the chief scientist with Damballa, just 500,000 unique IP addresses have been linked with the Downadup master server - a far cry from the 9 million suggested by F-Secure.

So how did F-Secure come to that staggering figure? They say they infiltrated the Downadup’s control channel and analysed the log of machines that connected. Whilst looking around they discovered a counter that they believe shows the number of infected systems. They created a script to add all those numbers together (what happened to the good old fashioned calculator) and worked put that 8.97 million machines were infected.

The bizarre thing about this worm is its intentions. Researchers have determined that it has not committed fraudulent activity on a large scale. So far it has set up a domain that forces users to install fake anti-virus software at a cost, but once security experts shut down that domain, the worm has, pardon the pun, remained underground.

The worm uses a random domain name generator embedded in the software that causes machines to jump to a different domain every day, but security boffins have been registering predicted domain names ahead of the worm. They say they haven’t noticed any spam, banking detail or password fraud as of yet.

“Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want,” said Royal. “Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people’s systems in the future, but of course, there’s nothing that precludes them from doing something completely different.”