Downadup Worm Hits Over 3.5 Million Computers

Jan 16, 2009 by John Messina weblog
Windows bulletin MS08-067

(PhysOrg.com) -- Security firm F-Secure has advised that the Downadup worm has spread to more than 3.5 million computers by exploiting a vulnerability Microsoft patched last October. This is achieved by trying to connect to various Web addresses. The worm then looks for an active Web server at one of these domains and downloads and runs a particular executable file. This allows the malware to do whatever it wants with all of the infected computers.

The Downadup uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. The worm then generates many possible domain names every day.

Names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. It would be impossible to shut them all down because there's just too many and most of them aren't even registered. The bad guys running the show only need to register one domain for the day, register it, and set up a website. From there they can gain access to all of the infected machines.

In order for the F-Secure Response Team to determine just how many machines are infected, they will register some of the possible domains and connect to the infected machines.

Right now the Response Team is seeing hundreds of thousands of unique IP addresses connecting to the domains they have registered. A large portion of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. This clearly shows that one unique IP address can be connected to thousands of corporate machines.

All this could have been avoided if more users had patched the vulnerability in how Windows processes remote procedure call (RPC) requests by the Windows Server service. Microsoft issued a critical out-of-band patch, bulletin MS08-067, to fix this problem.

Microsoft Security Bulletin MS08-067: www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

© 2009 PhysOrg.com

Explore further: LinkedIn membership hits 300 million

add to favorites email to friend print save as pdf

Related Stories

Conficker Worm Prepares For A New Release On April 1

Mar 27, 2009

(PhysOrg.com) -- The conficker worm created havoc last year when it infected over 10 million computers on a global scale. The unique design of the conficker worm allowed for this large scale attack to over ...

Global wave of Flame cyber attacks called staggering

May 28, 2012

(Phys.org) -- Kaspersky Lab has discovered complex malware that has been in operation for at least five years, collecting data from countries including both Israel and Iran. Kaspersky experts think the masterminds ...

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Flame spy virus gets order to vanish: experts

Jun 10, 2012

US computer security researchers said Sunday that the Flame computer virus that smoldered undetected for years in Middle Eastern energy facilities has gotten orders to vanish, leaving no trace.

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

UAE reports 12 new cases of MERS

Health authorities in the United Arab Emirates have announced 12 new cases of infection by the MERS coronavirus, but insisted the patients would be cured within two weeks.

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...