Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:32 PM
Connect Directly

Widespread Confickr/Downadup Worm Hard To Kill

Attack more dangerous in the potential of its scope and the way it was waged than the worm itself

It's one of the most massive worm outbreaks in years, with around 9 million infected machines during the past few days, but it's not what the Confickr/Downadup attack does that's so scary as much as how easily the worm spread and how difficult it is to eradicate.

Confickr/Downadup is nowhere near the scope of predecessor worms like Blaster, which hit 16 million at its peak, Slammer, CodeRed, or Love Letter, but its success has been confounding to security experts at a time when worms are considered pass and an ineffective way to make money in cybercrime.

Still, the attackers behind this worm infection -- which experts say will likely be rolled into the world's biggest botnet -- apparently have found a lucrative way to cash in on a worm. They devised a sophisticated method of spreading the worm, using not a standard email lure, but initially via the Microsoft MS08-067 vulnerability in Windows and subsequently infiltrating enterprise networks and spreading through open network shares, weak passwords, and removable storage devices, such as USB sticks.

"These guys were very creative. They combined so many techniques to get it out there to the masses," says Jay Chaudhry, CEO of Zscaler.

Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."

How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success. The good news here, however, is that because most of the infected machines are in the enterprise, the worm should ultimately be easier to clean up in the long run. "The fact that most of these machines are on corporate networks means it should be easier to more quickly deal with it as well," notes Randy Abrams, director of technical education at Eset.

So far, however, cleanup has been complicated due to the mix of infection vectors. Even patched systems are at risk. "Even if you have patched your network/computer for the MS08-067 vulnerability, you can still get infected by the network spreading through [admin passwords] or by USB memory sticks," F-Secure's Runald says. "To prevent this, you need an up-to-date antivirus product, but as the worm blocks access to many vendors' sites, it could be that your antivirus software doesn't have the latest update."

That's why the newly updated Microsoft Malicious Software Removal Tool (MSRT) has not been widely effective in cleaning up the worm-infested machines, he says. "The worm blocks access to Windows Update," Runald says.

Adds Zscaler's Chaudhry: "The worm itself is not a big deal. The whole system whereby [it infects machines]" and gathers bots is the big threat.

Meanwhile, one of the largest spamming botnets today, Ozdok, is expanding its capabilities. Ozdok, which has 120,000 bots, is now collecting screenshots of its victims' machines, according to Joe Stewart, director of malware research for SecureWorks, which discovered thousands of screenshots on a crime server.

Stewart says capturing screenshots is nothing new for backdoor Trojans, but it's the first time a spamming botnet has been seen doing so. He says the spammers may be grabbing screenshots as a way to search for intellectual property or financial credentials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.