Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

Intelligent flash storage arrays

Realm of Possibility

The number is "certainly within the realm of possibility," said Joe Stewart, a researcher with security provider SecureWorks, but he says it's still not clear whether the tally is counting some infected machines more than once, something that would cause the final count to be inflated. F-Secure representatives weren't immediately available to clarify.

The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software.

But after security professionals managed to close down the domain name, Downadup has mainly laid low. A pseudo-random generator embedded into the malware causes infected machines to report to a different domain name each day. White hats have been able to sporadically track the botnet's moves by registering domain names ahead of the botmasters, but so far, they haven't observed the infected drones receiving instructions to spam, steal banking passwords, or carry out other nefarious actions typical of such networks.

"Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want," said Royal. "Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people's systems in the future, but of course, there's nothing that precludes them from doing something completely different."

For now, there's little the white hat world can do to turn the tide of infections. This month's malicious software removal tool from Microsoft included definitions designed to disinfect machines hit by the worm, but some researchers believe compromised PCs are unable to receive Microsoft updates, a measure that could largely neutralize the measure. Redmond has yet to share data on the its effectiveness.

That leaves law-abiding security researchers with few options other than to watch as more and more infected machines connect to a different server each day, patiently waiting for instructions from overlords who are believed to be located in eastern Europe.

"If somebody were more ambitious and willing to break the law, I'm sure they could host their own server and then push out disinfection code," said SecureWorks's Stewart. "There's a certain point where we have to stand back and we really can't cross the line. Sure, you could fix it to some extent, but at the risk of getting yourself in legal hot water." ®

Top 5 reasons to deploy VMware with Tegile

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.