- How to make new stuff from your piles of obsolete tech
- Why your computer sucks
- 10 recession-proof IT skills
- Juniper execs share network vision
- 9-year-old plots his fifth Microsoft certification
The Downadup worm—also called Conflicker—has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon.
Watch a slideshow of the 10 worst moments in network security history.
Conflicker activation passes quietly, but threat is not over
"It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs," says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes. Many experts anticipate that could occur soon.
What that darker purpose might be is a source of speculation, but Jackson theorizes that it will may well end up being "rogue antivirus malware" that demands the user buy it to eliminate the worm. "It's basically extortion," he says.
Like SecureWorks, IBM notes that it's the second stage payload of the Downadup worm that is a source of concern. "Right now it's not destroying or stealing,--it's just hanging out," comments Tom Cross, X-Force researcher in the IBM ISS division. "It's building its network of hosts."
While no one knows exactly what stage two payload will bring, one reason for the worm's somewhat slow but steady progress is its use of Windows "AutoRun" to copy itself through Windows file-sharing and USB tokens, Cross says.
"If it copies itself to a file share, and if the user clicks on a file, the user's computer will get infected," Cross says. "Even if the computer is patched, you can still get infected if you access one of the infected USB drives or file shares." Cross advises that AutoRun be disabled.
This is an additional means of the worm spreading beyond exploiting the Windows RPC flaw identified last October, for which a patch is available. The worm also has a password-cracker that is adept at cracking administrative accounts or other computers, though very strong passwords should make that much harder, Cross says.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (63)
Good story no jokeBy Alex on January 23, 2009, 11:27 pmlets jus hope that stage 2 wont be anything bad. and hopefully all the people that are searchin into cyber world will find out who did this. *Side question is there...
Reply | Read entire comment
How to deal with malware foreverBy Anonymous on January 24, 2009, 12:07 pmIf you replace your Windows with Ubuntu Linux Intrepid Ibex you will install an operating system that has had virtually no malware, and by its design is very unlikely...
Reply | Read entire comment
Or...By Anon on January 24, 2009, 7:41 pm...you could just buy a Mac.
Reply | Read entire comment
It's the perfect storm worm...By Anonymous on January 24, 2009, 8:21 pmAnd this perfect storm is waiting to fall on its victims.... http://kingofgng.com/eng/2009/01/23/conficker-the-perfect-storm-worm/
Reply | Read entire comment
linux is the answerBy Anonymous on January 24, 2009, 10:25 pmmacs are way too much money, not just for the computer but if you want any more software that will cost you $$$. The best solution is linux.
Reply | Read entire comment
I guess you didn't read the Linux vs Windows/IIS security researBy Anonymous on January 24, 2009, 10:52 pmI guess you didn't read the Linux vs Windows/IIS security research. A majority of compromised webservers are Linux webservers, and not what you would think. So...
Reply | Read entire comment
View all comments