Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:32 PM
Connect Directly

Widespread Confickr/Downadup Worm Hard To Kill

Attack more dangerous in the potential of its scope and the way it was waged than the worm itself

It's one of the most massive worm outbreaks in years, with around 9 million infected machines during the past few days, but it's not what the Confickr/Downadup attack does that's so scary as much as how easily the worm spread and how difficult it is to eradicate.

Confickr/Downadup is nowhere near the scope of predecessor worms like Blaster, which hit 16 million at its peak, Slammer, CodeRed, or Love Letter, but its success has been confounding to security experts at a time when worms are considered pass and an ineffective way to make money in cybercrime.

Still, the attackers behind this worm infection -- which experts say will likely be rolled into the world's biggest botnet -- apparently have found a lucrative way to cash in on a worm. They devised a sophisticated method of spreading the worm, using not a standard email lure, but initially via the Microsoft MS08-067 vulnerability in Windows and subsequently infiltrating enterprise networks and spreading through open network shares, weak passwords, and removable storage devices, such as USB sticks.

"These guys were very creative. They combined so many techniques to get it out there to the masses," says Jay Chaudhry, CEO of Zscaler.

Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."

How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success. The good news here, however, is that because most of the infected machines are in the enterprise, the worm should ultimately be easier to clean up in the long run. "The fact that most of these machines are on corporate networks means it should be easier to more quickly deal with it as well," notes Randy Abrams, director of technical education at Eset.

So far, however, cleanup has been complicated due to the mix of infection vectors. Even patched systems are at risk. "Even if you have patched your network/computer for the MS08-067 vulnerability, you can still get infected by the network spreading through [admin passwords] or by USB memory sticks," F-Secure's Runald says. "To prevent this, you need an up-to-date antivirus product, but as the worm blocks access to many vendors' sites, it could be that your antivirus software doesn't have the latest update."

That's why the newly updated Microsoft Malicious Software Removal Tool (MSRT) has not been widely effective in cleaning up the worm-infested machines, he says. "The worm blocks access to Windows Update," Runald says.

Adds Zscaler's Chaudhry: "The worm itself is not a big deal. The whole system whereby [it infects machines]" and gathers bots is the big threat.

Meanwhile, one of the largest spamming botnets today, Ozdok, is expanding its capabilities. Ozdok, which has 120,000 bots, is now collecting screenshots of its victims' machines, according to Joe Stewart, director of malware research for SecureWorks, which discovered thousands of screenshots on a crime server.

Stewart says capturing screenshots is nothing new for backdoor Trojans, but it's the first time a spamming botnet has been seen doing so. He says the spammers may be grabbing screenshots as a way to search for intellectual property or financial credentials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...