Researchers wait for Downadup worm's second act

Computerworld - The worm that has infected millions of Windows PCs is a "very well-engineered" piece of malware, according to one security expert. But researchers still have no clear idea what the hackers plan to do with the collection of computers they've compromised with "Downadup."

"This is a very well-engineered piece of software," said Alfred Huger, vice president of development at Symantec Corp.'s security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code."

Downadup, also called "Conficker," has infected an estimated 6% of PCs worldwide. The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

Huger was impressed by the technical chops of Downadup's maker, or makers. "The worm itself is very complex," he said. "At the byte level, it implements [things] in some novel ways." Compared to most malware, which Huger said is "written off the cuff," Downadup is downright elegant.

And effective. Most researchers, including those at Symantec, have said the worm is the most invasive seen in the last six years. "At a basic level, it tends to perform well, and that's helped it spread," said Huger.

But much more than hacker craft made Downadup a success, Huger maintained. Other elements, including timing, the countries at the top of the attack list and even software piracy rates contributed.

"They put this together in a very brief period of time," Huger said, referring to the spotting of the worm's first variant just three weeks after Microsoft issued an emergency patch.

The faster hackers can come up with an exploit and put it on the street, the better luck they usually have, for fewer users patch their machines in the first days or weeks after a vulnerability is fixed.

"Software piracy also plays a role," said Huger, noting that the countries that Symantec has seen Downadup at its most successful -- in China, for instance, the worm has accounted for nearly a quarter of all recent infections -- also have historically high rates of running counterfeit software. People running Windows illegally are believed to patch their machines less rigorously than users with legitimate copies, for fear that Microsoft's antipiracy technology will detect and mark the operating system as stolen.

Patching habits have played a part, too, at least in keeping Downadup from infecting PCs through the bug Microsoft patched last October. "We feel that consumers in North America and western Europe are better educated about remaining patched," said Huger, pointing to the relatively low Downadup infection rates in those regions.

"Worms travel the path of least resistance," he added.

Although some researchers now say that Downadup seems to have peaked -- F-Secure Corp. today noted that its "growth ... has been curbed" -- researchers remained worried about the next step in the attack.

Most malware infects PCs so that hackers can then use the collected machines, dubbed a botnet, to send spam, attack Web sites or compromise more computers. To do that, the original attack code directs the now-controlled PC, a "bot" in security parlance, to download additional software.

But Downadup has yet to trigger such second-stage downloads.

"Why is it taking so long?" asked Huger. "That's what we're all asking." He couldn't recall an attack of this size with such a long lag time between the initial attacks and follow-on downloads of more malware to the hijacked systems.

The people behind Downadup will eventually follow through, Huger's convinced. "They've obviously put a lot of thought into the worm. They've been very methodical," he said.

But he also pointed out that the clock is ticking. "If they don't hurry up and do it, someone else will," he said, explaining that hackers must fend off not only security researchers, but also other criminals, who would like nothing better than to pinch a ready-to-use botnet.

"They're trying to keep the other bad guys at bay, too," Huger said. "So I would guess that they would act soon."

Read more about security in Computerworld's Security Knowledge Center.