'Amazing' worm attack infects 9 million PCs
Biggest infection in years, says Finnish security firm
Computerworld - Calling the scope of the attack "amazing," security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.
Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."
On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours.
"We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.
Downadup -- which also goes by the name "Conficker" -- exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.
In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers.
Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.
By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.
"So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally infected computers successfully attacked 116 other machines.
"We wrote a program that parses the logs, extracting the highest value for the IP/User-Agent pairs ... then added together to get our figures," said Koivunen. "As you can see now, they are very conservative."
Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday.
Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work at Microsoft said Tuesday.
- Downadup worm now infects 1 in every 16 PCs, says Panda
- US-CERT: Microsoft's advice on Downadup leaves users open to attack
- FAQ: How to protect your PC against the Downadup worm
- 'Amazing' worm attack infects 9 million PCs
- 1 in 3 Windows PCs vulnerable to worm attack
- Researcher: Worm infects 1.1M Windows PCs in 24 hours
- 'Huge increase' in worm attacks plagues unpatched Windows PCs
- Microsoft releases emergency Windows patch to head off worm attack
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts