Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:32 PM
Connect Directly

Widespread Confickr/Downadup Worm Hard To Kill

Attack more dangerous in the potential of its scope and the way it was waged than the worm itself

It's one of the most massive worm outbreaks in years, with around 9 million infected machines during the past few days, but it's not what the Confickr/Downadup attack does that's so scary as much as how easily the worm spread and how difficult it is to eradicate.

Confickr/Downadup is nowhere near the scope of predecessor worms like Blaster, which hit 16 million at its peak, Slammer, CodeRed, or Love Letter, but its success has been confounding to security experts at a time when worms are considered pass and an ineffective way to make money in cybercrime.

Still, the attackers behind this worm infection -- which experts say will likely be rolled into the world's biggest botnet -- apparently have found a lucrative way to cash in on a worm. They devised a sophisticated method of spreading the worm, using not a standard email lure, but initially via the Microsoft MS08-067 vulnerability in Windows and subsequently infiltrating enterprise networks and spreading through open network shares, weak passwords, and removable storage devices, such as USB sticks.

"These guys were very creative. They combined so many techniques to get it out there to the masses," says Jay Chaudhry, CEO of Zscaler.

Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."

How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success. The good news here, however, is that because most of the infected machines are in the enterprise, the worm should ultimately be easier to clean up in the long run. "The fact that most of these machines are on corporate networks means it should be easier to more quickly deal with it as well," notes Randy Abrams, director of technical education at Eset.

So far, however, cleanup has been complicated due to the mix of infection vectors. Even patched systems are at risk. "Even if you have patched your network/computer for the MS08-067 vulnerability, you can still get infected by the network spreading through [admin passwords] or by USB memory sticks," F-Secure's Runald says. "To prevent this, you need an up-to-date antivirus product, but as the worm blocks access to many vendors' sites, it could be that your antivirus software doesn't have the latest update."

That's why the newly updated Microsoft Malicious Software Removal Tool (MSRT) has not been widely effective in cleaning up the worm-infested machines, he says. "The worm blocks access to Windows Update," Runald says.

Adds Zscaler's Chaudhry: "The worm itself is not a big deal. The whole system whereby [it infects machines]" and gathers bots is the big threat.

Meanwhile, one of the largest spamming botnets today, Ozdok, is expanding its capabilities. Ozdok, which has 120,000 bots, is now collecting screenshots of its victims' machines, according to Joe Stewart, director of malware research for SecureWorks, which discovered thousands of screenshots on a crime server.

Stewart says capturing screenshots is nothing new for backdoor Trojans, but it's the first time a spamming botnet has been seen doing so. He says the spammers may be grabbing screenshots as a way to search for intellectual property or financial credentials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...