In what experts say could become the largest worm attack in recent memory, millions of computers worldwide are reported to be infected by a worm known variously as Downadup, Conficker and Confick — even though there’s a patch available that could help fix the problem.
Downadup has been spreading so rapidly that security experts say it will beat the record of the Storm virus, which infected anywhere from 160,000 to 50 million computers after being first identified in January 2007.
The newest worm hasn’t yet hit the high end of those figures — but it’s close. Antivirus vendor Panda Security said that it’s observed that almost 6 percent of the two million computers it has scanned were infected by the worm.
And it’s growing far more quickly than Storm, Ryan Sherstobitoff, chief corporate evangelist at Panda, told InternetNews.com. “Storm took a while to gain speed, whereas [Downadup] gained a lot of ground in only 48 hours,” he said. “Think of it as ‘shock and awe’ for the PC.”
Others had even more worrisome reports of Downadup’s aggressive growth: Antivirus vendor Shavlik Technologies said in a statement that it estimates that more than nine million PCs have been infected, while David Perry, global director of education at antivirus firm Trend Micro, told Internetnews.com that he believes about 10 million PCs have been hit.
The worm’s rapid spread marks the latest blow to an Internet security industry struggling to cope with the ever-increasing savvy of spammers and malware authors. Downadup, for instance, contains a number of features designed to make it harder for security pros to shut down.
Yet it’s not its design that accounts for Downadup’s rapid proliferation. Instead, you can blame users’ failure to patch their systems.
Downadup takes advantage of a vulnerability in Microsoft (NASDAQ: MSFT) Server systems, and the company issued a patch back in October. In security bulletin MS08-067, Microsoft alerted users that the problem could be used to craft a worm. It also recommended customers apply the update immediately.
Yet in spite of that warning and an available fix, Downadup remains on a tear, taking over a record number of PCs to create a sprawling botnet
“It’s a patching issue, and it’s spreading because people haven’t patched their PCs for so long that they’re out of the patching cycle,” Panda’s Sherstobitoff said. “That’s why a worm like this would get out of control.”
Despite the differences in how widespread security vendors believe Downadup has become, consensus remains that it’s emerged as the worst attack on the Web since the Storm worm. And despite Downadup’s sprawl, security experts say they do not yet know why it’s setting up botnets.
“It could be a smokescreen or camouflage for some other attack happening on a smaller scale somewhere else,” Trend Micro’s Perry said.
“I think it’s an experiment about exploiting this new vulnerability and how effectively it can be used,” he added. “I wouldn’t be surprised if it were caused by the same people who brought you the Storm worm.”
[cob:Special_Report]While directly infecting PCs, Downadup also grows by identifying vulnerable machines through open network shares, weak passwords and connected removable storage devices, cloud security provider Zscaler said in a statement. Once it infects machines, Downadup connects them back to botnet command-and-control servers, creating a botnet army.
In addition, Downadup has a “phone-home” feature that checks back with its command-and-control center, Zscaler said. The feature could let it download malicious code from drop points that constantly change, making it harder for security professionals to pinpoint its choke points and block its growth.
There may be other factors contributing to Downadup’s spread as well, Michael Sutton, vice president of security research at Zscaler, said in a statement. For one thing, he said Downadup also owes its growth to the fact that Internet-bound botnet command-and-control traffic wasn’t being inspected. He also blamed ineffective antivirus signatures.
For security professionals, the design of worms like Downadup are indicative of the newest trend in malware and spamming, which rely on ever-changing links to avoid being accurately targeted.
For instance, in recent spam and malware attacks, attackers place malicious links on blogs and Web sites that send victims to a traffic management system. That system then points them to a different malware-laden domain every time they click on the links, making it more difficult for security professionals to pinpoint the attack’s origin.
Such attacks were used recently on the LinkedIn social networking site.