Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

SANS - Survey on application security programs

Realm of Possibility

The number is "certainly within the realm of possibility," said Joe Stewart, a researcher with security provider SecureWorks, but he says it's still not clear whether the tally is counting some infected machines more than once, something that would cause the final count to be inflated. F-Secure representatives weren't immediately available to clarify.

The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software.

But after security professionals managed to close down the domain name, Downadup has mainly laid low. A pseudo-random generator embedded into the malware causes infected machines to report to a different domain name each day. White hats have been able to sporadically track the botnet's moves by registering domain names ahead of the botmasters, but so far, they haven't observed the infected drones receiving instructions to spam, steal banking passwords, or carry out other nefarious actions typical of such networks.

"Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want," said Royal. "Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people's systems in the future, but of course, there's nothing that precludes them from doing something completely different."

For now, there's little the white hat world can do to turn the tide of infections. This month's malicious software removal tool from Microsoft included definitions designed to disinfect machines hit by the worm, but some researchers believe compromised PCs are unable to receive Microsoft updates, a measure that could largely neutralize the measure. Redmond has yet to share data on the its effectiveness.

That leaves law-abiding security researchers with few options other than to watch as more and more infected machines connect to a different server each day, patiently waiting for instructions from overlords who are believed to be located in eastern Europe.

"If somebody were more ambitious and willing to break the law, I'm sure they could host their own server and then push out disinfection code," said SecureWorks's Stewart. "There's a certain point where we have to stand back and we really can't cross the line. Sure, you could fix it to some extent, but at the risk of getting yourself in legal hot water." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.