The Downadup worm, a malicious program that spreads using a recently patched Windows flaw, has compromised more than 3.5 million computers, security firm F-Secure stated this week.
The Downadup worm has successfully spread because it uses a major flaw that Microsoft patched in October to remotely compromise computers running unpatched versions of the Windows operating system. However, the malicious program's greatest strength appears to be a feature that allows worm-controlled computers to download malicious code from a random drop point.
The program generates addresses for 250 different domains each day. The botnet controller need only register one of the domains and set up a download server to update the bot program with different functionality, said Mikko Hyppönen, chief research officer at F-Secure.
"The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines — pretty clever," Hyppönen said in a blog post.
The worm uses a vulnerability in Windows' processing of remote procedure call (RPC) requests by the Windows Server service. When it issued an emergency patch for the flaw in October, Microsoft warned that the vulnerability could be used to automatically spread malicious code to systems running Windows XP and earlier versions of the company's operating system.
Symantec, the owner of SecurityFocus, has also recorded large numbers of infections by Downadup. The company recorded more than 600,000 systems infected with the program in a 72-hour span. Almost all of the system were running Windows XP.
While F-Secure could insert its servers into the Downadup's update mechanism, effectively disabling the program on infected computers, Hyppönen said the strategy would violate the laws of most Western countries.
"We could attempt to manipulate the infected machines, but of course, we won't," he said. "In fact, we won't be doing anything at all to them — not even disinfect them — as that could be seen as 'unauthorized use'. That is illegal, at least in many jurisdictions.... Look but don't touch is the golden rule."
F-Secure considers the estimate of 3.5 million machines infected to be conservative. The top-3 countries with the most infections were China, Brazil and Russia, according to F-Secure.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos