Nearly 9 Million PCs Hit By 'Downandup' Worm - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Operating Systems
News
1/16/2009
05:26 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Nearly 9 Million PCs Hit By 'Downandup' Worm

The network worm is a bunch of malware variants that target older Windows machines and changes itself, or is changed by its authors, to prevent signature-based detection.

A network worm has been spreading rapidly across the Internet over the past week, despite an emphatic warning from Microsoft last October.

In October, Microsoft took the unusual step of issuing an out-of-band Security Bulletin, MS08-067, for a vulnerability affecting its Server service.

"Because the vulnerability is potentially wormable on those older versions of Windows [XP and earlier], we're encouraging customers to test and deploy the update as soon as possible," said Christopher Budd, a Microsoft Security Response Center security program manager, in a blog post.

Microsoft's concerns have proven to be well founded. The MS08-067 Worm, also known as "Downadup" and "Conflicker," has been spreading like the plague.

"The number of Downandup infections are skyrocketing based on our calculations," F-Secure's Toni Kovunen said in a blog post Friday. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

"The situation with Downandup is not getting better," he added. "It's getting worse."

Strictly speaking, Downandup isn't just one worm -- it's a bunch of variants. Modern malware changes itself, or is changed by its authors, to prevent signature-based detection.

F-Secure began receiving reports about the Downandup worm in early January. The company's researchers observed that it used server-side polymorphism -- mutating code -- and ACL (access control list) modification to make network disinfection more difficult.

Plenty of malware makes use of local polymorphism, by randomizing the names of malicious files, for example. But Downandup uses randomized network paths for its command-and-control servers, making its control mechanism harder to shut down.

"This one is really an innovative one where it randomly generates these control channels and tries them out," said Wolfgang Kandek, CTO of Qualys.

The worm also takes steps to defend itself by disabling various Windows security, updating, and networking features. It blocks access to security-related domains on the Internet. And it modifies networking settings to speed up its ability to copy itself to other computers.

According to Kandek, the damage from the worm would have been much less had server administrators patched more quickly.

MS08-067 "was an out-of-band release," he said. "Microsoft said it was wormable. I think we could have avoided the extent of the damage if we had patched faster."

Typically, he said, only 50% of systems are patched 30 days after a patch is released. "Even now [for MS08-067], 25% to 30% remain unpatched," he said. "I recognize that people have to test patches, but this has to be taken seriously."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Commentary
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
Slideshows
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll