Feeds

Superworm seizes 9m PCs, 'stunned' researchers say

Downadup goes up and up

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Realm of Possibility

The number is "certainly within the realm of possibility," said Joe Stewart, a researcher with security provider SecureWorks, but he says it's still not clear whether the tally is counting some infected machines more than once, something that would cause the final count to be inflated. F-Secure representatives weren't immediately available to clarify.

The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software.

But after security professionals managed to close down the domain name, Downadup has mainly laid low. A pseudo-random generator embedded into the malware causes infected machines to report to a different domain name each day. White hats have been able to sporadically track the botnet's moves by registering domain names ahead of the botmasters, but so far, they haven't observed the infected drones receiving instructions to spam, steal banking passwords, or carry out other nefarious actions typical of such networks.

"Given that there are new domain names generated everyday, the botmasters have an infinite number of chances to actually claim control of the botnet and direct it to do whatever they want whenever they want," said Royal. "Based on what we saw in the past, it seems likely they may try and push rogue anti-virus software on people's systems in the future, but of course, there's nothing that precludes them from doing something completely different."

For now, there's little the white hat world can do to turn the tide of infections. This month's malicious software removal tool from Microsoft included definitions designed to disinfect machines hit by the worm, but some researchers believe compromised PCs are unable to receive Microsoft updates, a measure that could largely neutralize the measure. Redmond has yet to share data on the its effectiveness.

That leaves law-abiding security researchers with few options other than to watch as more and more infected machines connect to a different server each day, patiently waiting for instructions from overlords who are believed to be located in eastern Europe.

"If somebody were more ambitious and willing to break the law, I'm sure they could host their own server and then push out disinfection code," said SecureWorks's Stewart. "There's a certain point where we have to stand back and we really can't cross the line. Sure, you could fix it to some extent, but at the risk of getting yourself in legal hot water." ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.