Slashdot Mirror

← Back to Stories (view on slashdot.org)

Downadup Worm — When Will the Next Shoe Drop?

Posted by timothy on from the it-looks-like-you're-using-windows dept.

alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."

9 of 295 comments (clear)

  1. its not hard by madcat2c · · Score: 5, Informative

    Use a hardware router, use a real anti-virus program that actually publishes updates everyday (Nod32 for me), and use a browser where you can kill anything that tries to auto install itself (firefox, chrome, etc).

    And don't forward or respond to chain emails!

  2. Re:Spyware, Adware, Antivirus, Don't use IE, Use a by Computershack · · Score: 3, Informative

    When will Windows be ready for the desktop? Srsly.

    Microsoft patched this and issued the fix through Windows Update a month before the worm was even in existence. It's only stupid fucks who don't update their OS that've got infected.

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  3. Re:Keep spreading lies by Anonymous Coward · · Score: 3, Informative

    Yeah as if a Microsoft website isn't going to show a bit of one-sidedness and in doing so leave out a metric ton of facts that don't exactly keep their product at best interest.

  4. Technical examination by Prune · · Score: 5, Informative

    There's a more technical examination of the virus at https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717

    --
    "Politicians and diapers must be changed often, and for the same reason."
  5. Re:Keep spreading lies by Anonymous Coward · · Score: 4, Informative

    I prefer this site, its facts are far more accurate ;-)

    Don't click that link!

  6. Re:Keep spreading lies by Anonymous Coward · · Score: 5, Informative

    Be warned - in case you are tempted...

    This is a pretty ingenious script that

    • Opens up windows (or tabs, depending on how you open the link) as fast as your computer can - 100% CPU
    • Each window displays gay porn
    • Plays a loud sound "Hey everybody I'm looking at gay porno"
    • Behind the scenes it also copies the contents of your clipboard to this guy.

    It works in IE and firefox. It is simply a page with an image, a flash movie, and a javascript that copies your clipboard to a field then 'submit()'s' the form, reloading the page.

    Very simple and bypasses popup blockers (at least the ones I have on).

    This has got to be a security hole in firefox, both on the ability to open windows/tabs, and copying the clipboard.

    If you want to have a look, use:

    wget http://getthefacts.on.zoy.org/index.php

    WARNING: dont click on this link, just copy the wget command to a shell. Dont say I didn't warn you...

  7. Re:Could it be hijacked... by arkhan_jg · · Score: 3, Informative

    According to this analysis, the writers anticipated the daily domain-generation algorithm it uses to check for updates being reverse engineered, and they put in additional protection so that it would only download code from the original authors - presumably using some kind of key signing.

    --
    Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  8. Re:Keep spreading lies by nog_lorp · · Score: 3, Informative

    I don't know where you get your information, but

    Error: document.getElementsByTagName("textarea")[0].createTextRange is not a function
    Source File: javascript:%20document.getElementsByTagName("textarea")[0].focus();%20alert(document.getElementsByTagName("textarea")[0].createTextRange());%20void(0);
    Line: 1

    Yah know why? Because "Firefox doesn't let web sites access your clipboard directly. Flash does. The Flash guys consider it a feature, while the Firefox guys consider it a security hole in Flash"

  9. Re:Keep spreading lies by mlwmohawk · · Score: 4, Informative

    Linux isn't perfect. There have been any number of security issues that would allow a knowledgeable hacker easy access.

    Depending on the methodology of access this is potentially true. There are philosophical differences between the development of Linux, BSD, and Windows.

    I've been around the industry for a while and I have seen first hand the systemic differences. At Microsoft, things like adding executable code to TIFF images and metafiles is neither challenged nor audited. On Linux and FreeBSD the developers wouldn't even dream of doing something idiotic like that, and even if they do, there are legions of people who will scream bloody murder.

    Then there is the nefarious code purposefully put into Microsoft's proprietary code. Be it the NSA key, WGA, or other methodologies of accessing machines remotely. If these systems are in Windows, they WILL be exploited by external entities.