Downadup/Conflicker spreading havoc
20 January 2009
by
Gunthy
Filed under
Malware + Windows
It’s been a while now that this worm has been spreading around on the Net, but apparently after all this time, it’s still out there, alive and kicking more than ever before.
Downadup is one of the nastiest worms I’ve seen in my professional history. Having quite the amount of hands-on experience with it myself, I can say that I haven’t seen such a persistent one before. And I’m not alone… F-Secure reported Friday in a blog-post that they estimate the number of affected machines to be over 8 million. EIGHT MILLION!!! My god…
So what happened? Well the worm seems to be detected first late September, using a flaw in one of Windows’ services which allowed it to brute-force account passwords it spread rapidly. Once successful, it starts spreading itself through network shares, USB-sticks and other computers affected by the same security hole. Late October, Microsoft released an emergency patch to fix the hole, but a lot of machines still remain unpatched, thus very vulnerable.
A lot of corporate networks got infected as the worm spread havoc using the exploit. It locked users out of their accounts by keeping on guessing the password. Once on the machine, it starts securing the places it uses by removing all access rights to parts of the file system and registry, making it very hard to remove. Once your network is infected, it feels like your efforts to wipe out the worm are like carrying water to the sea. Counter-measures like installing the MS-patch and updating your anti-virus solution do help, but seem to only slow down the spreading. Use of USB sticks should definitely be heavily restricted, or if possible be banned completely.
To make things worse, the worm in some cases renders the infected computer useless, using methods like stopping services or using excessive bandwidth. It’s ability to install third-party malware such as trojans and other viruses, which gives full control over the machine to the worm author(s), doesn’t help either.
I think we haven’t seen the last of this one yet. The biggest question I think is, if you ever get your network clean again, how can you be sure no remnants are left behind. After all, as with any virus or malware, can you ever be sure you are completely safe? I guess only time will tell…
