Confickr/Downadup is nowhere near the scope of predecessor worms like Blaster, which hit 16 million at its peak, Slammer, CodeRed, or Love Letter, but its success has been confounding to security experts at a time when worms are considered pass and an ineffective way to make money in cybercrime.
Still, the attackers behind this worm infection -- which experts say will likely be rolled into the world's biggest botnet -- apparently have found a lucrative way to cash in on a worm. They devised a sophisticated method of spreading the worm, using not a standard email lure, but initially via the Microsoft MS08-067 vulnerability in Windows and subsequently infiltrating enterprise networks and spreading through open network shares, weak passwords, and removable storage devices, such as USB sticks.
"These guys were very creative. They combined so many techniques to get it out there to the masses," says Jay Chaudhry, CEO of Zscaler.
Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."
How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success. The good news here, however, is that because most of the infected machines are in the enterprise, the worm should ultimately be easier to clean up in the long run. "The fact that most of these machines are on corporate networks means it should be easier to more quickly deal with it as well," notes Randy Abrams, director of technical education at Eset.
So far, however, cleanup has been complicated due to the mix of infection vectors. Even patched systems are at risk. "Even if you have patched your network/computer for the MS08-067 vulnerability, you can still get infected by the network spreading through [admin passwords] or by USB memory sticks," F-Secure's Runald says. "To prevent this, you need an up-to-date antivirus product, but as the worm blocks access to many vendors' sites, it could be that your antivirus software doesn't have the latest update."
That's why the newly updated Microsoft Malicious Software Removal Tool (MSRT) has not been widely effective in cleaning up the worm-infested machines, he says. "The worm blocks access to Windows Update," Runald says.
Adds Zscaler's Chaudhry: "The worm itself is not a big deal. The whole system whereby [it infects machines]" and gathers bots is the big threat.
Meanwhile, one of the largest spamming botnets today, Ozdok, is expanding its capabilities. Ozdok, which has 120,000 bots, is now collecting screenshots of its victims' machines, according to Joe Stewart, director of malware research for SecureWorks, which discovered thousands of screenshots on a crime server.
Stewart says capturing screenshots is nothing new for backdoor Trojans, but it's the first time a spamming botnet has been seen doing so. He says the spammers may be grabbing screenshots as a way to search for intellectual property or financial credentials.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message