Downadup Worm — When Will the Next Shoe Drop?

alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."

what will it download?

the worm is capable of downloading second-stage code for darker purposes."

So it might download vista?

Re:what will it download?

[hobbit]

while Downadup today is not malicious in the sense of destroying files

How quaint! The idea that someone might infect millions of PCs just to delete people's files is so 20th century.

Re:what will it download?

One of the big areas hit by downadup is in the corporate world where PCs are "managed". A lot of those have not been patched and are infected already or probably will be soon. Once it gets a foothold behind a firewall, it uses multiple other strategies to spread - weak passwords, etc.

In a lot of business environments, deleting files could be crippling because those often times have people who don't back up their files, there isn't really a company policy, etc. It's bad enough when somebody loses a hard drive. Try having everyone "lose their hard drive".

Another issue is this is the first time I have seen the infection attributed to a Russian-area site. Everywhere else it has been attributed to some one or some group in China.

Regardless, one of the uses of a botnet is for cyber warfare. In this case the cat is out of the bag and people are watching it closely to see what it is going to do. But if the people who built this are sophisticated enough, or maybe this one spreads laterally and more stealthily than people have yet noticed, it could have a real purpose much more sinister than just deleting files or snagging myspace passwords. Downadup could also just be a decoy.

It's been said that the first clues that war is coming will be people's computers not working properly as infrastructure and services are knocked out. Anyone starting a war will want a crushing first blow and taking out files, doing DDoS, etc, would be typical.

Not trying to scaremonger but obviously this thing is illicit and almost guaranteed malicious. It would be naive to disregard a government's hand in it.

Re:what will it download?

[Zadaz]

Well of course deleting files could be crippling. Which is exactly why it would be a stupid thing for a hull breach app to do.

A modern virus/trojan/worm/etc doesn't want to be noticed. It wants to be an available node to be sold to the highest bidder. Just like a biological virus it can't spread if it kills or incapacitates its host.

Deleting files was something a virus did back in the 80's because hackers didn't have much imagination. That's not to say a terrorist organization couldn't buy the next payload and send out a "secure reformat on boot" app, but it would be a massive waste of a resource (a massive botnet is incredibly powerful/valuable tool not to be thrown away) and a foolishly indiscriminate target, even for terrorists. In any case they'd have to outbid the ordinary criminals who want it to spam, hijack, DoS, keylog, skim and blackmail.

...[This] is the first time I have seen the infection attributed to a Russian-area site.

You really don't get out much, do you.

And now we rediscover

[causality]

And now we rediscover why monocultures don't work (and are generally not found) in nature.

Re:And now we rediscover

[Dzimas]

Hmm. Are you alluding to the dominance of computers or humans?

its not hard

[madcat2c]

Use a hardware router, use a real anti-virus program that actually publishes updates everyday (Nod32 for me), and use a browser where you can kill anything that tries to auto install itself (firefox, chrome, etc).

And don't forward or respond to chain emails!

You'll All Thank Me

[hksdot]

You'll all thank me when I deploy the second stage to install and run SETI@home and discover alien intelligence.

-Virus Author

Re:You'll All Thank Me

[philspear]

that then comes and kills us all before we advance enough to be a threat to them.

Right before that would happen, he'll deploy "stage three" by handing the aliens a USB drive...

Keep spreading lies

Windows is actually far more secure than Linux. Get the facts, people.

Re:Keep spreading lies

I prefer this site, its facts are far more accurate ;-)

Don't click that link!

Re:Keep spreading lies

Be warned - in case you are tempted...

This is a pretty ingenious script that

• Opens up windows (or tabs, depending on how you open the link) as fast as your computer can - 100% CPU
• Each window displays gay porn
• Plays a loud sound "Hey everybody I'm looking at gay porno"
• Behind the scenes it also copies the contents of your clipboard to this guy.

It works in IE and firefox. It is simply a page with an image, a flash movie, and a javascript that copies your clipboard to a field then 'submit()'s' the form, reloading the page.

Very simple and bypasses popup blockers (at least the ones I have on).

This has got to be a security hole in firefox, both on the ability to open windows/tabs, and copying the clipboard.

If you want to have a look, use:

wget http://getthefacts.on.zoy.org/index.php

WARNING: dont click on this link, just copy the wget command to a shell. Dont say I didn't warn you...

Re:Keep spreading lies

[Penguinshit]

It's a dickroll...

Re:Keep spreading lies

[jesser]

Firefox doesn't let web sites access your clipboard directly. Flash does. The Flash guys consider it a feature, while the Firefox guys consider it a security hole in Flash (or at least I do).

I bet the site is using Flash.

Re:Keep spreading lies

[danwesnor]

Free porn? SWEET!

Re:Keep spreading lies

[NeverVotedBush]

The both of you should probably add "that you know of".

The reality is that Linux boxes are highly prized. Their owners frequently have high speed connections and Linux can do all sorts of fun things.

Linux isn't perfect. There have been any number of security issues that would allow a knowledgeable hacker easy access. It all depends on if you kept your systems up to date and patched, didn't set up and allow unnecessary services, had a good firewall policy with a default deny/drop stance, etc.

Linux comes out of the box now pretty secure but it hasn't always. And individual user habits can also compromise a system. Add to that the fact that one of the big ways into a system now is through add-on things like flash and such, and the knowledge that there have been kernel bugs that let user applications get root with a single command (things like vmsplice), and there is a possibility that your Linux boxes are rooted and you just don't know it.

For the record, I run Linux almost exclusively and am no fan of Windows. But people need to understand that just running Linux is not a guarantee of safety. I'm also not questioning your capabilities. It's just that blanket statements about Linux security should probably be qualified.

Re:Keep spreading lies

[ozmanjusri]

They know to keep Windows up to date and run a scan at least once a week for any suspicious. They've also learned to not click on every fool link there is just because they can.

Why bother?

Linux is free, and it's easier to learn Linux than how to keep Windows clean.

Re:Keep spreading lies

[Spit]

A better counter is not to click links posted by anonymous idiots.

Re:Keep spreading lies

[mlwmohawk]

Linux isn't perfect. There have been any number of security issues that would allow a knowledgeable hacker easy access.

Depending on the methodology of access this is potentially true. There are philosophical differences between the development of Linux, BSD, and Windows.

I've been around the industry for a while and I have seen first hand the systemic differences. At Microsoft, things like adding executable code to TIFF images and metafiles is neither challenged nor audited. On Linux and FreeBSD the developers wouldn't even dream of doing something idiotic like that, and even if they do, there are legions of people who will scream bloody murder.

Then there is the nefarious code purposefully put into Microsoft's proprietary code. Be it the NSA key, WGA, or other methodologies of accessing machines remotely. If these systems are in Windows, they WILL be exploited by external entities.

Why is it..

[zmollusc]

.. that I can't get windows apps to do what i want without crashing, but it runs teh evil viruses perfectly?

Re:Why is it..

[nathan.fulton]

".. that I can't get windows apps to do what i want without crashing, but it runs teh evil viruses perfectly?"
Because there is a 100% correlation between a virus crashing and a virus writer's lost profit. With most legitimate software, a crash leaves only one practical option: keep using the crapware and hope it doesn't crash again.

Re:The sick truth.

[couchslug]

"If we were a proper country like Soviet Russia they would get the Siberian wolf blowjob by now."

Thanks to the internet, not only do I know that for some people that would not be a punishment,
but that others wish they were the wolf.

Technical examination

[Prune]

There's a more technical examination of the virus at https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717

Microsoft...

[ConceptJunkie]

"From where do you want to get pwned today?"

It's 2009... I can't believe we're still dealing with this crap in 2009.

Complacency is a disease

[David+Gerard]

A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.

Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."

Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" asked marketing marketer Steve Ballmer.

Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.

"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."

"Yes," said Phagge. "Yes, they do."

Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.

It simply does not matter!

[erroneus]

It doesn't matter how bad and unsafe Windows is. Microsoft Windows is like the air. People are going to keep breathing it no matter who farted in the room. People live in the most polluted places because that's where they live, that's where they work, that's where they play. I could tell you all day long about this other place... with clean air, that's safe, that's stable and all that... and most people might be intrigued but very few will vacation there and even fewer will actually move there. This is how people work.

Linux needs an Apple logo before the masses will move to it.