Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

Remote control for virtualized desktops

Realm of Possibility

The number is "certainly within the realm of possibility," said Joe Stewart, a researcher with security provider SecureWorks, but he says it's still not clear whether the tally is counting some infected machines more than once, something that would cause the final count to be inflated. F-Secure representatives weren't immediately available to clarify.

The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software.

But after security professionals managed to close down the domain name, Downadup has mainly laid low. A pseudo-random generator embedded into the malware causes infected machines to report to a different domain name each day. White hats have been able to sporadically track the botnet's moves by registering domain names ahead of the botmasters, but so far, they haven't observed the infected drones receiving instructions to spam, steal banking passwords, or carry out other nefarious actions typical of such networks.

"Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want," said Royal. "Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people's systems in the future, but of course, there's nothing that precludes them from doing something completely different."

For now, there's little the white hat world can do to turn the tide of infections. This month's malicious software removal tool from Microsoft included definitions designed to disinfect machines hit by the worm, but some researchers believe compromised PCs are unable to receive Microsoft updates, a measure that could largely neutralize the measure. Redmond has yet to share data on the its effectiveness.

That leaves law-abiding security researchers with few options other than to watch as more and more infected machines connect to a different server each day, patiently waiting for instructions from overlords who are believed to be located in eastern Europe.

"If somebody were more ambitious and willing to break the law, I'm sure they could host their own server and then push out disinfection code," said SecureWorks's Stewart. "There's a certain point where we have to stand back and we really can't cross the line. Sure, you could fix it to some extent, but at the risk of getting yourself in legal hot water." ®

Secure remote control for conventional and virtual desktops

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.