Slashdot Mirror

← Back to Stories (view on slashdot.org)

Downadup Worm — When Will the Next Shoe Drop?

Posted by timothy on from the it-looks-like-you're-using-windows dept.

alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."

4 of 295 comments (clear)

  1. Could it be hijacked... by TexVex · · Score: 3, Interesting

    If this thing is a malicious software delivery system, wouldn't it be possible to hijack it and have it download something that removes it?

    --
    Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
    1. Re:Could it be hijacked... by upuv · · Score: 3, Interesting

      Aside from the potential protections the virus may have for this.

      White hats have a few extra rules to contend with. Since going into someones computer and changing stuff without there approval is illegal in most parts of the globe the white hats would be just as guilty as the virus writer.

      God forbid the white hat actually makes a mistake and the cure is worse than the disease. An analogous problem occurred when Sony installed a root kit that prevented people from breaking the law. Sony thought it was protecting it's IP rites. What really happened was that Sony effectively gave complete and total access to any one who wanted to do stuff on the computer. Sony got slapped hard for this and it cost them a bundle. Many people lost there jobs and the damage to personal computers around the world was rather staggering.

      So it's not as simple as someone taking over the comms with the virus and sending back clean up routine.

      ----
      As an aside. If or when the world comes to accept that white hats are allowed to attack virus in this manor we will see an almost instant response from the virus writers.

      A double payload mechanism would be very effective for example.
      1. Virus infects.
      2. 2nd payload is delivered and hides in stealth.
      3. white hat antivirus clears first virus. As it would take time for the aggressive anti virus to be written. The 2nd payload could easily be delivered well in advance of the white hat action.
      4. 2nd payload is now on the hardware with no need to talk to command and control.

      That is just one possible vector change that would appear.

      ----

      More likely is that if white hats where given the go ahead to attack. The "Bad guys" would simply move to the next soft target. I suspect the next soft target to be the vast numbers of networked devices that are multiplying all running Linux variations. Also since next to no one ever updates the firmware on these appliances once vulnerable they will remain for ever vulnerable.

      ----
      So in the end no it's a BAD idea for the white hats to aggressively attack these things. It's an arms escalation that we simply don't need.

  2. A small niggle... by rickb928 · · Score: 3, Interesting

    But it's "Ukraine", not "The Ukraine".

    At least, that's what Ukrainians say.

    Just sayin... And that's what the Ukrainian rocket scientist I know says also.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  3. Re:what will it download? by Anonymous Coward · · Score: 5, Interesting

    One of the big areas hit by downadup is in the corporate world where PCs are "managed". A lot of those have not been patched and are infected already or probably will be soon. Once it gets a foothold behind a firewall, it uses multiple other strategies to spread - weak passwords, etc.

    In a lot of business environments, deleting files could be crippling because those often times have people who don't back up their files, there isn't really a company policy, etc. It's bad enough when somebody loses a hard drive. Try having everyone "lose their hard drive".

    Another issue is this is the first time I have seen the infection attributed to a Russian-area site. Everywhere else it has been attributed to some one or some group in China.

    Regardless, one of the uses of a botnet is for cyber warfare. In this case the cat is out of the bag and people are watching it closely to see what it is going to do. But if the people who built this are sophisticated enough, or maybe this one spreads laterally and more stealthily than people have yet noticed, it could have a real purpose much more sinister than just deleting files or snagging myspace passwords. Downadup could also just be a decoy.

    It's been said that the first clues that war is coming will be people's computers not working properly as infrastructure and services are knocked out. Anyone starting a war will want a crushing first blow and taking out files, doing DDoS, etc, would be typical.

    Not trying to scaremonger but obviously this thing is illicit and almost guaranteed malicious. It would be naive to disregard a government's hand in it.