Downadup Worm Infects 1.1M Windows PCs in 24 Hours

[djbaxter]

Researcher: Worm Infects 1.1M Windows PCs in 24 Hours
by Gregg Keizer, Computerworld
Jan 15, 2009 11:29 am

The computer worm that exploits a months-old Windows bug has infected more than a million PCs in the past 24 hours, a security company said Wednesday.

Early Wednesday, Finnish security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the "Downadup" worm, an increase of more than 1.1 million since Tuesday.

"[And] we still consider this to be a conservative estimate," said Sean Sullivan, a researcher at F-Secure, in an entry to the company's Security Lab blog . On Tuesday F-Secure said the worm had infected an estimated 2.4 million machines.

The worm, which several security companies have reported surging dramatically during the last few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft's operating system, including Windows 2000 , XP, Vista, Server 2003 and Server 2008.

Microsoft issued an emergency patch in late October, fixing the flaw with one of its rare "out of cycle" updates.

The soaring number of infections by Downadup -- also called "Conficker" by some security companies -- prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines on Patch Tuesday. The MSRT scans for known malware, then scrubs the system of any it finds.

Like researchers at firms such as Symantec Corp. and Panda Security, Microsoft blamed lackadaisical patching for the infections. "A number of our customers have contacted our support team for assistance with containment in environments that were, largely, not patched when the worm was released," said Cristian Craioveanu and Ziv Mador, two researchers at Microsoft's Malware Protection Center, in a Tuesday blog entry. "Either security update MS08-067 was not installed at all or was not installed on all the computers."

...

Microsoft recommended that Windows users install the October update, then run the January edition of the MSRT to clean up compromised computers.

...more

 

[Linda Buquet]

Whoa, that's pretty scary. Thanks for letting us know minstrel!

 

[djbaxter]

Update with Preemptive Blocklist and More Downadup Numbers

Preemptive Blocklist and More Downadup Numbers
by Sean, F-Secure
Friday, January 16, 2009

We have an update on the number of infected computers.

Today's calculation is a total of 8,976,038 infections worldwide and 353,495 unique IP addresses.

That's a quite a big difference compared to our last number ? there [is now] a follow up post... to explain the methodology.

Our post last Monday provided a preemptive Downadup domain blocklist.

A new list of potential domains for January 17th to the 31st is now available.

 

[Zila1]

Oh my God! Every new day- every new dangerous virus. It's just incredible! Anti virus systems are not able to cope with it, cause threats spreading too fast

 

[djbaxter]

I think what is most striking about this one (and other prominent worms and trojans in the past) is that the fix from Microsoft has been available for some time and simply hasn't been installed on many computers.

There's also an update which suggests this particular culprit may not be capable of fulfilling its intended purposes:

Virus spreads quickly, but may be a dud
By Andrew Vanacore
Sat., Jan. 17, 2009

Fortunately, however, [the virus] may be a dud.

Though computer bugs have become a common affliction, Finland-based F-Secure says a virus it has been tracking for the past several weeks has surged more rapidly through corporate networks than anything they have seen in years.

But the virus does not appear to be working as its designers intended... Instead, the virus is simply spreading to little effect, though it may still pose a threat to infected computers.

"The gang behind this worm haven't used it yet," F-Secure's chief research officer, Nikko Hypponen said by phone. "But they could do anything they like with any of these machines at any time."

...more