Downadup Worm Hits Over 3.5 Million Computers

The Downadup uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. The worm then generates many possible domain names every day.

Names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. It would be impossible to shut them all down because there's just too many and most of them aren't even registered. The bad guys running the show only need to register one domain for the day, register it, and set up a website. From there they can gain access to all of the infected machines.

In order for the F-Secure Response Team to determine just how many machines are infected, they will register some of the possible domains and connect to the infected machines.

Right now the Response Team is seeing hundreds of thousands of unique IP addresses connecting to the domains they have registered. A large portion of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. This clearly shows that one unique IP address can be connected to thousands of corporate machines.

All this could have been avoided if more users had patched the vulnerability in how Windows processes remote procedure call (RPC) requests by the Windows Server service. Microsoft issued a critical out-of-band patch, bulletin MS08-067, to fix this problem.

Microsoft Security Bulletin MS08-067: http://www.microso … S08-067.mspx

© 2009 PhysOrg.com