New Windows worm builds massive botnet
Half a million PCs infected, botnet still growing, says researcher
Computerworld - The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October is being used to build a new botnet, a security researcher said today.
Ivan Macalintal, a senior research engineer with Trend Micro Inc., said that the worm, which his company has dubbed "Downad.a" -- it's called "Conficker.a" by Microsoft and "Downadup" by Symantec Corp. -- is a key component in a new botnet that criminals are creating.
"We think 500,000 is a ball park figure," said Macalintal when asked the size of the new botnet. "That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's still starting to grow."
Last week, Microsoft warned that the worm was behind a spike in exploits of a bug in the Windows Server service, which is used by the operating system to connect to network file and print servers. Microsoft patched the service with an emergency fix it issued Oct. 23, shortly after it discovered a small number of infected PCs in Southeast Asia.
However, the new worm is a global threat, said Macalintal. "This has real potential to do damage," he said. Trend Micro has spotted infected IP addresses on the networks of Internet service providers (ISPs) in the U.S., China, India, the Middle East, Europe and Latin America.
The worm first appeared about a week and a half ago, and began spreading in earnest just before Thanksgiving, he added.
Macalintal also said that it appears the botnet is being built by a new group of cyber-criminals, not one of the gangs that lost control of compromised computers when McColo Corp., a California hosting company, was yanked off the Internet. When McColo went offline, crooks lost access to the command-and-control servers which gave marching orders to some of the world's biggest botnets, including "Srizbi" and "Rustock."
One result of the McColo takedown was a temporary slump in spam; some message security vendors said last week that they had seen a sharp increase in spam as the hackers managed to regain control of their botnets.
Security experts, including those at Trend Micro, are coordinating efforts, said Macalintal, to pass along their lists of worm-infected PCs to ISPs, who have been asked to contact the computers' owners and urge them to clean their machines of the worm.
"But that's an uphill climb," admitted Macalintal.
Users who haven't applied the emergency patch -- labeled MS08-067 by Microsoft -- should do so as soon as possible, Macalintal said.
- Estonian ISP cuts off control servers for Srizbi botnet
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
Read more about Security in Computerworld's Security Topic Center.
- Agility & Scalability for Oracle EBS R12 and RAC on VMware vSphere 5 This white paper outlines extensive performance and scalability testing of Oracle EBS applications on a Vblock™ Systems with vSphere 5.
- Oracle and VCE: The Next Step in Integrated Computing Platforms In this ESG Lab review you will learn how a VCE system driven by Oracle, delivers the perfect blend of high performance and...
- Migrate Oracle Apps from RISC/UNIX to Virtualized x86 Ready to move Oracle to a virtualized environment? This brief explains how true converged infrastructure can help you migrate from a RISC/UNIX environment...
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Knowledge Center White Papers | Webcasts