Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Downadup, the superworm that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million.

The astronomical growth stunned some researchers, although others cautioned the numbers could be inflated since the counting of infected computers is by no means an exact science. Most agreed F-Secure's estimate was certainly plausible and if it proved to be correct, represented a major development in the world of cyberthreats.

"This thing has gotten way out of hand," said Paul Ferguson, a security researcher for anti-virus provider Trend Micro who has spent the past several weeks tracking the worm's progress. "It seems pretty spectacular to me that there could be that much growth."

A confluence of factors are responsible for the growth of Downadup, which also goes by the name Conficker.

For one, the underlying vulnerability allows for self-replicating attacks in the 2000, XP, and Server 2003 versions of Windows. And for another, the malware authors have cleverly designed exploits that spread via flash and network drives, online trojans, and social engineering features that allow it to spread like wildfire within a local network once a single machine is compromised.

Another important contribution to the outbreak seems to be the legions of administrators and users of Windows machines who have failed to heed repeated admonitions to update. Despite Microsoft releasing an emergency patch for the vulnerability almost three months ago, nearly one in three Windows machines have yet to apply it, according to research from security provider Qualys.

Some Skepticism

Not all security watchers are convinced there really are 9 million machines infected by Downadup. Paul Royal, chief scientist with anti-botnet company Damballa, said his researchers have counted only about 500,000 unique IP addresses connecting to Downadup's master control server. That would imply an average of 18 infected machines behind each address, a number he says is unlikely.

The skepticism prompted F-Secure researchers to explain its methodology for the mind-boggling number. By infiltrating Downadup's control channel and analyzing logs of machines that connected, researchers discovered a counter believed to show the number of other PCs the compromised machine has infected.

After creating a script that totaled all those numbers together, F-Secure deduced 8.97 million machines have been compromised, up from 2.4 million on Tuesday.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.