Downadup Worm — When Will the Next Shoe Drop?

alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."

Could it be hijacked...

[TexVex]

If this thing is a malicious software delivery system, wouldn't it be possible to hijack it and have it download something that removes it?

Re:Could it be hijacked...

[Kifoth]

Good question... Since we know that the virus checks 250 formula based URL's every day for 'updates,' what's to stop someone from registering one of the upcoming url's and hosting code there that'll cause the virus to uninstall or cripple itself?

Re:Could it be hijacked...

[upuv]

Aside from the potential protections the virus may have for this.

White hats have a few extra rules to contend with. Since going into someones computer and changing stuff without there approval is illegal in most parts of the globe the white hats would be just as guilty as the virus writer.

God forbid the white hat actually makes a mistake and the cure is worse than the disease. An analogous problem occurred when Sony installed a root kit that prevented people from breaking the law. Sony thought it was protecting it's IP rites. What really happened was that Sony effectively gave complete and total access to any one who wanted to do stuff on the computer. Sony got slapped hard for this and it cost them a bundle. Many people lost there jobs and the damage to personal computers around the world was rather staggering.

So it's not as simple as someone taking over the comms with the virus and sending back clean up routine.

----
As an aside. If or when the world comes to accept that white hats are allowed to attack virus in this manor we will see an almost instant response from the virus writers.

A double payload mechanism would be very effective for example.
1. Virus infects.
2. 2nd payload is delivered and hides in stealth.
3. white hat antivirus clears first virus. As it would take time for the aggressive anti virus to be written. The 2nd payload could easily be delivered well in advance of the white hat action.
4. 2nd payload is now on the hardware with no need to talk to command and control.

That is just one possible vector change that would appear.

----

More likely is that if white hats where given the go ahead to attack. The "Bad guys" would simply move to the next soft target. I suspect the next soft target to be the vast numbers of networked devices that are multiplying all running Linux variations. Also since next to no one ever updates the firmware on these appliances once vulnerable they will remain for ever vulnerable.

----
So in the end no it's a BAD idea for the white hats to aggressively attack these things. It's an arms escalation that we simply don't need.

Re:its not hard

Gotta say, it's pretty clever of the worm writer to rediscover the sneakernet as a malware infection vector. Though I'm curious as to why it just blocks anti-virus sites and not Window updates? That'd make it almost impervious to fix by network.

A small niggle...

[rickb928]

But it's "Ukraine", not "The Ukraine".

At least, that's what Ukrainians say.

Just sayin... And that's what the Ukrainian rocket scientist I know says also.

Re:A small niggle...

[feelbad_feelsgood]

If you wonder why people (esp. Americans) insist on referring to Ukraine as "The Ukraine," I believe the answer lies with the Parker Bros. board game "Risk". Their wikipedia entry http://en.wikipedia.org/wiki/Risk_(game)#Territories doesn't say this, but I'm pretty sure older boards had a space that was not called Ukraine, but "The Ukraine". Corroboration from Seinfeld: http://www.seinfeldscripts.com/TheLabelMaker.html If you're wondering if Americans learned geography from any source more reliable than a board game, well, you already know the answer.

Re:Why is it..

[troll8901]

Too true. The original Internet worm had only 99 lines of source code, yet incorporated encryption, password guessing, vulnerability-injection, and so on.

Except for a bug, I think the author was a genius - a true "hacker" in the original sense of the word.

Of course, both viewpoints were presented by another guy, who included this incident in the last chapter of a book.

Re:Keep spreading lies

[Baseclass]

I love how Windows apologists always qualify their answers with "I like Linux too but...". It's a bit like saying "Some of my best friends are black but..."
You're obviously an experienced Windows user and understand the importance of discretion when clicking links, installing software, etc.
The difference is, Linux users don't have exercise nearly as much caution. My wife and kids know nothing of what lies beneath their pretty GUIs yet since upgrading every system in the house to Slackware (yes upgrading), we've had no further issues involving malicious software.

Re:Keep spreading lies

Seeing as I was about to reboot to tryout a live CD anyways, I went there.

Other than seeing an ugly ass background pic, it does nothing to my Linux system, running firefox 3 with no script, adblock plus & flashblock.

Re:Keep spreading lies

[blind+monkey+3]

(MANDATORY) do not use Internet Explorer.
as an example, this?
Yes, December was last year so you can argue it is a year old....
Your suggestions are good and will minimize risks. The UAC nagware needs to be addressed so that people don't get the urge to through a brick through their "Windows" though.
I am also a little nervous about the "don't need realtime anti-virus software" with Windows - I think that Windows security has been improved but it could do with some more improvements - hopefully Vista SP3 (AKA Windows 7) will do this - I haven't looked at it yet but sounds like it is addressing some major issues, if so, thank you Microsoft.
[taunt]I still prefer my Debian systems though[/taunt].

Re:what will it download?

One of the big areas hit by downadup is in the corporate world where PCs are "managed". A lot of those have not been patched and are infected already or probably will be soon. Once it gets a foothold behind a firewall, it uses multiple other strategies to spread - weak passwords, etc.

In a lot of business environments, deleting files could be crippling because those often times have people who don't back up their files, there isn't really a company policy, etc. It's bad enough when somebody loses a hard drive. Try having everyone "lose their hard drive".

Another issue is this is the first time I have seen the infection attributed to a Russian-area site. Everywhere else it has been attributed to some one or some group in China.

Regardless, one of the uses of a botnet is for cyber warfare. In this case the cat is out of the bag and people are watching it closely to see what it is going to do. But if the people who built this are sophisticated enough, or maybe this one spreads laterally and more stealthily than people have yet noticed, it could have a real purpose much more sinister than just deleting files or snagging myspace passwords. Downadup could also just be a decoy.

It's been said that the first clues that war is coming will be people's computers not working properly as infrastructure and services are knocked out. Anyone starting a war will want a crushing first blow and taking out files, doing DDoS, etc, would be typical.

Not trying to scaremonger but obviously this thing is illicit and almost guaranteed malicious. It would be naive to disregard a government's hand in it.

Re:its not hard

I believe it also blocks Windows Updates.

Re:Keep spreading lies

[gmagill]

Avast antivirus caught it for me (using Firefox)

Re:It simply does not matter!

[RAMMS+EIN]

Linux has a logo, and it's cute and cuddly, so I think that's all good. It's just nowhere to be seen.

Computers (and embedded systems) coming with Linux carrying the penguin logo on their packaging, hardware that works with Linux and software that works with Linux (but what version of what distro?) carrying the penguin logo would be a start.

The logo alone isn't enough. It would be great if it were out there, but people also need to know why they want it. Something like Compiz's spinning cubes works wonders here. The trick here is finding something that Linux does much better than the competition and that makes people go "wow" before their attention span runs out.

And honestly, I think this is difficult. What I like about my distro of choice is that it lets me just _use_ my computer, without losing lots of time on maintenance. Updates, upgrades, software installation, hardware installation, it all Just Works. But how do you show that in 5 seconds and how many people will care, given that they probably virtually never do these things, anyway? The Worm of the Week doesn't bother me, but I think that goes for most people, too, even if their system does fall victim to it.

Having said that, what really helps is raising awareness that there is a choice to be made. These days, you _can_ use a Mac and you _can_ run Linux or BSD, without isolating yourself from the rest of the computer-using world. And if you do, you will have to worry a lot less about the malicious software that is constantly attacking every computer on the Internet. If you choose Linux or BSD, you don't even have to buy a new computer. You can install it yourself or you can have your local wizkid do it for you. You can get free updates for life, you'll be free of artificial restrictions (you _can_ play the songs you bought on every device you own), and the effort of learning the new system doesn't have to be more than the effort of learning the next version of Windows.

Re:It simply does not matter!

[mlwmohawk]

People live in the most polluted places because that's where they live, that's where they work, that's where they play.

Within reason, of course. When there is no place to go, they stay. However, history shows that where there are alternatives, people migrate to cleaner/better environments. The Navaho and Anaszi would pack up and leave a whole city and build a new one. In the 1800s people flocked to the west for a better life. Europeans flocked to the Americas for a cleaner/better life.

What the mystic keeps pople using Windows?

[alukin]

Every time new virus or worm hits about half of PC world I wonder what the mystic keeps people using Windows. I think it is a kind of mental disaster that may be compared to drug addiction. Is it market inertia? Is it some kind of world domination conspiracy of American government? Or what it could be? People think that worms and viruses are normal for any computer and no one from i.e. Apple of FOSS community do not bother to explain that viruses and worms can live only in Windows.

Who can explain why people still buying that piece of crap?