Forgot your password?
typodupeerror
Security Operating Systems Software Windows IT

Downadup Worm — When Will the Next Shoe Drop? 295

Posted by timothy
from the it-looks-like-you're-using-windows dept.
alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."
This discussion has been archived. No new comments can be posted.

Downadup Worm — When Will the Next Shoe Drop?

Comments Filter:
  • by Anonymous Coward on Saturday January 24, 2009 @06:57PM (#26593249)

    the worm is capable of downloading second-stage code for darker purposes."

    So it might download vista?

    • by Anonymous Coward on Saturday January 24, 2009 @07:07PM (#26593357)

      Windows is actually far more secure than Linux. Get the facts [getthefacts.com], people.

      • Re: (Score:3, Informative)

        by Anonymous Coward
        Yeah as if a Microsoft website isn't going to show a bit of one-sidedness and in doing so leave out a metric ton of facts that don't exactly keep their product at best interest.
      • Windows is actually far more secure than Linux. Get the facts, people.

        ... Please don't feed the trolls.

    • by hobbit (5915) on Saturday January 24, 2009 @09:05PM (#26594345)

      while Downadup today is not malicious in the sense of destroying files

      How quaint! The idea that someone might infect millions of PCs just to delete people's files is so 20th century.

      • Well, deleting files doesn't really do anything. Sure, if someone was going to write a quick script to make someone mad I'd make it delete a few files. If I was going to create a worm that is advanced (such as the storm worm) I'm going at least make a buck or two on it.
      • by Anonymous Coward on Saturday January 24, 2009 @10:13PM (#26594813)
        One of the big areas hit by downadup is in the corporate world where PCs are "managed". A lot of those have not been patched and are infected already or probably will be soon. Once it gets a foothold behind a firewall, it uses multiple other strategies to spread - weak passwords, etc.

        In a lot of business environments, deleting files could be crippling because those often times have people who don't back up their files, there isn't really a company policy, etc. It's bad enough when somebody loses a hard drive. Try having everyone "lose their hard drive".

        Another issue is this is the first time I have seen the infection attributed to a Russian-area site. Everywhere else it has been attributed to some one or some group in China.

        Regardless, one of the uses of a botnet is for cyber warfare. In this case the cat is out of the bag and people are watching it closely to see what it is going to do. But if the people who built this are sophisticated enough, or maybe this one spreads laterally and more stealthily than people have yet noticed, it could have a real purpose much more sinister than just deleting files or snagging myspace passwords. Downadup could also just be a decoy.

        It's been said that the first clues that war is coming will be people's computers not working properly as infrastructure and services are knocked out. Anyone starting a war will want a crushing first blow and taking out files, doing DDoS, etc, would be typical.

        Not trying to scaremonger but obviously this thing is illicit and almost guaranteed malicious. It would be naive to disregard a government's hand in it.
        • by Zadaz (950521) on Sunday January 25, 2009 @12:12AM (#26595491)

          Well of course deleting files could be crippling. Which is exactly why it would be a stupid thing for a hull breach app to do.

          A modern virus/trojan/worm/etc doesn't want to be noticed. It wants to be an available node to be sold to the highest bidder. Just like a biological virus it can't spread if it kills or incapacitates its host.

          Deleting files was something a virus did back in the 80's because hackers didn't have much imagination. That's not to say a terrorist organization couldn't buy the next payload and send out a "secure reformat on boot" app, but it would be a massive waste of a resource (a massive botnet is incredibly powerful/valuable tool not to be thrown away) and a foolishly indiscriminate target, even for terrorists. In any case they'd have to outbid the ordinary criminals who want it to spam, hijack, DoS, keylog, skim and blackmail.

          ...[This] is the first time I have seen the infection attributed to a Russian-area site.

          You really don't get out much, do you.

    • by hairyfeet (841228)

      Oh please. Hackers are evil but even they aren't THAT cruel!

      Seriously though, this thing is attacking a hole patched in October. Why in the hell is so damned many PC users not bothering to patch their stupid machines? Have they not heard of Autopatcher? [autopatcher.com] I mean how much more simple do they want? Autopatcher will let you get all the updates to everything 32bit from 2K-Vista, along with all the office patches, DirectX and Dotnet, all the tweaks and addons like flash and Java, and then you burn it to a nice DVD

  • by causality (777677) on Saturday January 24, 2009 @06:58PM (#26593261)
    And now we rediscover why monocultures don't work (and are generally not found) in nature.
    • by Dzimas (547818) on Saturday January 24, 2009 @07:31PM (#26593613)
      Hmm. Are you alluding to the dominance of computers or humans?
    • Re: (Score:2, Informative)

      by dov_0 (1438253)
      Very good point. The variety in different distros and user chosen software would give Linux a great advantage over Windows securitywise.
    • by Godji (957148)
      And that's funny why? Mod informative.
      • Re: (Score:3, Insightful)

        by philspear (1142299)

        I at least find it funny that IT joins many other fields in realizing nature faced a similar problem and solved it billions of years ago.

    • Re: (Score:2, Insightful)

      by timmarhy (659436)
      yeah right because computers happen in nature. we did have a diversity of computers in the wild, they happily swung from the trees and shat in the woods, but then the windows computer was introduced and ate all their food and raped their babies.

      or maybe not everything has an analogy based on nature, since it's 100% artifical to begin with, and fills an artifical reqirement (like all computers being compatible dictates a monoculture...)

      • Re: (Score:2, Funny)

        by Anonymous Coward

        HMPFH.

        *YOUR* PC might have shat in the woods, but my Mac was potty trained from day one.

        • Re: (Score:3, Funny)

          by Anonymous Coward
          Your mac, like all other macs, will die of extinction because of its stubborn refusal to eat meat and mate with the opposite sex. And if that ain't enough, when Mama Jobs dies, all Macs will also die.
      • Re: (Score:2, Insightful)

        Compatible emphatically does NOT imply monoculture.

        That is the whole point of open standards.
        • by timmarhy (659436)
          nice point you raise there. unfortunately a monoculture is the most efficent way to deliever compatiblity. it's also the only approch that makes sense from a managability perspective. so while it would be nice to be able to run any OS and communicate with alien technology like geoff goldblum in "independance day", it's unlikely.
  • its not hard (Score:5, Informative)

    by madcat2c (1292296) on Saturday January 24, 2009 @07:03PM (#26593313)
    Use a hardware router, use a real anti-virus program that actually publishes updates everyday (Nod32 for me), and use a browser where you can kill anything that tries to auto install itself (firefox, chrome, etc).

    And don't forward or respond to chain emails!
    • There are worms out there that actually disable your anti-virus updates from actually occurring while telling you that they have updated.
      • by phulegart (997083)

        Yes there are. And there are simple steps to being able to clear those worms/spyware/malware when you are infected with them. However, those simple steps either require running scans and updates regularly, or paying for software that will do it automatically (although spybot does have a scheduler feature).

        The issue right now, is that there is not one cleaning tool that gets them all. That's where it starts to get complicated. A large portion of the worst stuff can be cleared easily and painlessly with M

    • by Joce640k (829181)

      ...except that this spreads via USB sticks and blocks antivirus updates.

      A minor nitpick, I know...

      • by Godji (957148)
        I'm wondering about the method if infecting a USB stick. Is it filesystem-secific? How does it work?
        • by ancientt (569920)

          It isn't exactly filesystem specific, though it does depend on being a filesystem that Windows will recognize. It infects USB by putting an autorun.inf on the device to install itself. The nasty bit is that, to the average user, it looks like the executable is just the windows dialog to open the device as a folder. f-secure.com [f-secure.com] has a nice writeup on it.

  • When you see it divert fractions of pennies into a bank account they control.

  • by hksdot (1128515) on Saturday January 24, 2009 @07:03PM (#26593325)

    You'll all thank me when I deploy the second stage to install and run SETI@home and discover alien intelligence.

    -Virus Author

  • Why is it.. (Score:5, Funny)

    by zmollusc (763634) on Saturday January 24, 2009 @07:07PM (#26593359)

    .. that I can't get windows apps to do what i want without crashing, but it runs teh evil viruses perfectly?

    • What makes you think it does? Perhaps 10% of all infections fail. So what?

    • by Shados (741919)

      Virus writers aren't former Visual basic 6 developers without degrees who think they're hot shit for being able to pop a modal dialog, and make a career out of it. Thats why.

      • Re: (Score:2, Interesting)

        by troll8901 (1397145)

        Too true. The original Internet worm had only 99 lines of source code, yet incorporated encryption, password guessing, vulnerability-injection, and so on.

        Except for a bug, I think the author was a genius - a true "hacker" in the original sense of the word.

        Of course, both viewpoints were presented by another guy, who included this incident in the last chapter of a book.

    • Re:Why is it.. (Score:5, Insightful)

      by nathan.fulton (1160807) on Saturday January 24, 2009 @08:00PM (#26593881) Journal
      ".. that I can't get windows apps to do what i want without crashing, but it runs teh evil viruses perfectly?"
      Because there is a 100% correlation between a virus crashing and a virus writer's lost profit. With most legitimate software, a crash leaves only one practical option: keep using the crapware and hope it doesn't crash again.
      • by brusk (135896)

        Actually no. If a virus works only 50% of the time, no big deal, the author probably doesn't even know.

    • Re: (Score:3, Funny)

      by Yvanhoe (564877)
      Let's be fair, the virus only works on 30% of the machines. Still impressive for a windows app though...
  • by TexVex (669445) on Saturday January 24, 2009 @07:16PM (#26593447)
    If this thing is a malicious software delivery system, wouldn't it be possible to hijack it and have it download something that removes it?
    • Re: (Score:2, Interesting)

      by Kifoth (980005)
      Good question... Since we know that the virus checks 250 formula based URL's every day for 'updates,' what's to stop someone from registering one of the upcoming url's and hosting code there that'll cause the virus to uninstall or cripple itself?
    • only if the virus writer is doing it wrong. There are about a million ways to prevent this, including encrypting the code.
    • Re: (Score:3, Informative)

      by Fnord666 (889225)

      If this thing is a malicious software delivery system, wouldn't it be possible to hijack it and have it download something that removes it?

      Unfortunately the virus writers already thought of that. The article didn't give details but I would guess that the downloaded payload is digitally signed and the virus code verifies the signature.

    • by upuv (1201447) on Saturday January 24, 2009 @09:06PM (#26594357) Journal

      Aside from the potential protections the virus may have for this.

      White hats have a few extra rules to contend with. Since going into someones computer and changing stuff without there approval is illegal in most parts of the globe the white hats would be just as guilty as the virus writer.

      God forbid the white hat actually makes a mistake and the cure is worse than the disease. An analogous problem occurred when Sony installed a root kit that prevented people from breaking the law. Sony thought it was protecting it's IP rites. What really happened was that Sony effectively gave complete and total access to any one who wanted to do stuff on the computer. Sony got slapped hard for this and it cost them a bundle. Many people lost there jobs and the damage to personal computers around the world was rather staggering.

      So it's not as simple as someone taking over the comms with the virus and sending back clean up routine.

      ----
      As an aside. If or when the world comes to accept that white hats are allowed to attack virus in this manor we will see an almost instant response from the virus writers.

      A double payload mechanism would be very effective for example.
      1. Virus infects.
      2. 2nd payload is delivered and hides in stealth.
      3. white hat antivirus clears first virus. As it would take time for the aggressive anti virus to be written. The 2nd payload could easily be delivered well in advance of the white hat action.
      4. 2nd payload is now on the hardware with no need to talk to command and control.

      That is just one possible vector change that would appear.

      ----

      More likely is that if white hats where given the go ahead to attack. The "Bad guys" would simply move to the next soft target. I suspect the next soft target to be the vast numbers of networked devices that are multiplying all running Linux variations. Also since next to no one ever updates the firmware on these appliances once vulnerable they will remain for ever vulnerable.

      ----
      So in the end no it's a BAD idea for the white hats to aggressively attack these things. It's an arms escalation that we simply don't need.

    • by arkhan_jg (618674) on Saturday January 24, 2009 @09:46PM (#26594605)

      According to this [symantec.com] analysis, the writers anticipated the daily domain-generation algorithm it uses to check for updates being reverse engineered, and they put in additional protection so that it would only download code from the original authors - presumably using some kind of key signing.

  • "The Downadup worm - also called Conflicker - has now infected an estimated 10 million PCs worldwide,

    Ashamed of being fucked with [wikipedia.org], victims call "conficker" now "conflicker" or with the euphemism "downadup". It does not matter, it all adds up down there if you are screwed with.
  • by Prune (557140) on Saturday January 24, 2009 @07:36PM (#26593657)
  • Microsoft... (Score:5, Insightful)

    by ConceptJunkie (24823) on Saturday January 24, 2009 @07:59PM (#26593863) Homepage Journal

    "From where do you want to get pwned today?"

    It's 2009... I can't believe we're still dealing with this crap in 2009.

  • And I'm using it to 'infect' their pc's with Linux. It'll stop all future virii as well as creating a wave of happiness. Dark purposes, it's all how you look at it. Sure they'll hate me for a while, but then they'll love me and i'll reveal my identity and be a hero!

    • Re: (Score:3, Funny)

      I knew it! Those linux folks are all virus writers! They even infect the copyright system with their dirty viruses [wikipedia.org]!
    • by Eudial (590661)

      And I'm using it to 'infect' their pc's with Linux. It'll stop all future virii as well as creating a wave of happiness. Dark purposes, it's all how you look at it. Sure they'll hate me for a while, but then they'll love me and i'll reveal my identity and be a hero!

      Here I was hoping the virus would start correcting the spelling in you tube comments. Maybe the next virus that comes along will realize my grammar nazi utopia, then...

      1. Rent a bot net with the worm on it.
      2. Instruct each zombie to Bittorent and install Wubi. [wubi-installer.org]
      3. ???
      4. Profit!
  • A small niggle... (Score:4, Interesting)

    by rickb928 (945187) on Saturday January 24, 2009 @08:10PM (#26593947) Homepage Journal

    But it's "Ukraine", not "The Ukraine".

    At least, that's what Ukrainians say [wsu.edu].

    Just sayin... And that's what the Ukrainian rocket scientist I know says also.

    • by Cyberax (705495)

      Don't worry. Ukraine is going to split into several parts real soon or at least become a federation. And then you'll be able to call it "the Ukraine" again. :)

    • Re: (Score:2, Interesting)

      If you wonder why people (esp. Americans) insist on referring to Ukraine as "The Ukraine," I believe the answer lies with the Parker Bros. board game "Risk". Their wikipedia entry http://en.wikipedia.org/wiki/Risk_(game)#Territories [wikipedia.org] doesn't say this, but I'm pretty sure older boards had a space that was not called Ukraine, but "The Ukraine". Corroboration from Seinfeld: http://www.seinfeldscripts.com/TheLabelMaker.html [seinfeldscripts.com] If you're wondering if Americans learned geography from any source more reliable than a
      • by rickb928 (945187)

        I knew where Ukraine was before I knew about Risk.

        American public education wasn't always such a failure.

  • Where do I go to get a script that searches for it and removes it?

    I'm sure I have coworkers that need this removed from their computers at work..

    • by anss123 (985305)

      I'm sure I have coworkers that need this removed from their computers at work../quote The hole the virus exploits was closed last year, before Conflicker started spreading, so if your company machines are up to date they should be safe. Microsoft also has a "malicious Software Removal tool" that can remove the virus.

      • Re: (Score:3, Funny)

        Microsoft also has a "malicious Software Removal tool"

        Is that a tool for removing malicious software, or a malicious tool for removing software? Enquiring minds want to know!

    • Re: (Score:3, Informative)

      bleepingcomputer.com - combofix.exe. Used this at work to remove it from multiple laptops. Works good and didn't have any trouble with it. Leave the USB thumb drive in while you run it, and it will clean the infection from it as well.

  • by David Gerard (12369) <slashdot@@@davidgerard...co...uk> on Saturday January 24, 2009 @08:39PM (#26594181) Homepage

    A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough [today.com] to still think Windows is not ridiculously and unfixably insecure by design [philosecurity.org].

    Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."

    Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" asked marketing marketer Steve Ballmer.

    Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.

    "It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."

    "Yes," said Phagge. "Yes, they do."

    Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

  • by erroneus (253617) on Sunday January 25, 2009 @02:03AM (#26596021) Homepage

    It doesn't matter how bad and unsafe Windows is. Microsoft Windows is like the air. People are going to keep breathing it no matter who farted in the room. People live in the most polluted places because that's where they live, that's where they work, that's where they play. I could tell you all day long about this other place... with clean air, that's safe, that's stable and all that... and most people might be intrigued but very few will vacation there and even fewer will actually move there. This is how people work.

    Linux needs an Apple logo before the masses will move to it.

    • Re: (Score:3, Interesting)

      by RAMMS+EIN (578166)

      Linux has a logo, and it's cute and cuddly, so I think that's all good. It's just nowhere to be seen.

      Computers (and embedded systems) coming with Linux carrying the penguin logo on their packaging, hardware that works with Linux and software that works with Linux (but what version of what distro?) carrying the penguin logo would be a start.

      The logo alone isn't enough. It would be great if it were out there, but people also need to know why they want it. Something like Compiz's spinning cubes works wonders h

    • Re: (Score:3, Interesting)

      by mlwmohawk (801821)

      People live in the most polluted places because that's where they live, that's where they work, that's where they play.

      Within reason, of course. When there is no place to go, they stay. However, history shows that where there are alternatives, people migrate to cleaner/better environments. The Navaho and Anaszi would pack up and leave a whole city and build a new one. In the 1800s people flocked to the west for a better life. Europeans flocked to the Americas for a cleaner/better life.

From Sharp minds come... pointed heads. -- Bryan Sparrowhawk

Working...