Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Realm of Possibility

The number is "certainly within the realm of possibility," said Joe Stewart, a researcher with security provider SecureWorks, but he says it's still not clear whether the tally is counting some infected machines more than once, something that would cause the final count to be inflated. F-Secure representatives weren't immediately available to clarify.

The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software.

But after security professionals managed to close down the domain name, Downadup has mainly laid low. A pseudo-random generator embedded into the malware causes infected machines to report to a different domain name each day. White hats have been able to sporadically track the botnet's moves by registering domain names ahead of the botmasters, but so far, they haven't observed the infected drones receiving instructions to spam, steal banking passwords, or carry out other nefarious actions typical of such networks.

"Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want," said Royal. "Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people's systems in the future, but of course, there's nothing that precludes them from doing something completely different."

For now, there's little the white hat world can do to turn the tide of infections. This month's malicious software removal tool from Microsoft included definitions designed to disinfect machines hit by the worm, but some researchers believe compromised PCs are unable to receive Microsoft updates, a measure that could largely neutralize the measure. Redmond has yet to share data on the its effectiveness.

That leaves law-abiding security researchers with few options other than to watch as more and more infected machines connect to a different server each day, patiently waiting for instructions from overlords who are believed to be located in eastern Europe.

"If somebody were more ambitious and willing to break the law, I'm sure they could host their own server and then push out disinfection code," said SecureWorks's Stewart. "There's a certain point where we have to stand back and we really can't cross the line. Sure, you could fix it to some extent, but at the risk of getting yourself in legal hot water." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.