Skip Links

Researchers wait for Downadup worm's second act

By Gregg Keizer, Computerworld
January 23, 2009 04:31 PM ET

Computerworld - The worm that's infected millions of Windows PCs is a "very well-engineered" piece of malware, according to one security expert. But researchers still have no clear idea what the hackers plan to do with the collection of computers they've compromised with "Downadup."

"This is a very well-engineered piece of software," said Alfred Huger , vice president of development at Symantec Corp. 's security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code."

Downadup, also called "Conficker," has infected an estimated 6% of PCs worldwide . The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

Huger was impressed by the technical chops of Downadup's maker, or makers. "The worm itself is very complex," he said. "At the byte level, it implements [things] in some novel ways." Compared to most malware, which Huger said is "written off the cuff," Downadup is downright elegant.

And effective. Most researchers, including those at Symantec, have said the worm is the most invasive seen in the last six years. "At a basic level, it tends to perform well, and that's helped it spread," said Huger.

But much more than hacker craft made Downadup a success, Huger maintained. Other elements, including timing, the countries at the top of the attack list and even software piracy rates contributed.

"They put this together in a very brief period of time," Huger said, referring to the spotting of the worm's first variant just three weeks after Microsoft issued an emergency patch .

The faster hackers can come up with an exploit and put it on the street, the better luck they usually have, for fewer users patch their machines in the first days or weeks after a vulnerability is fixed.

"Software piracy also plays a role," said Huger, noting that the countries that Symantec has seen Downadup at its most successful -- in China, for instance, the worm has accounted for nearly a quarter of all recent infections -- also have historically high rates of running counterfeit software. People running Windows illegally are believed to patch their machines less rigorously than users with legitimate copies, for fear that Microsoft's anti-piracy technology will detect and mark the operating system as stolen.

Patching habits have played a part, too, at least in keeping Downadup from infecting PCs through the bug Microsoft patched last October. "We feel that consumers in North America and western Europe are better educated about remaining patched," said Huger, pointing to the relatively low Downadup infection rates in those regions.

"Worms travel the path of least resistance," he added.

Although some researchers now say that Downadup seems to have peaked -- F-Secure Corp. Friday noted that its "growth...has been curbed" -- researchers remained worried about the next step in the attack.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News