Widespread Confickr/Downadup Worm Hard To Kill

Attack more dangerous in the potential of its scope and the way it was waged than the worm itself

Dark Reading logo in a gray background | Dark Reading

It's one of the most massive worm outbreaks in years, with around 9 million infected machines during the past few days, but it's not what the Confickr/Downadup attack does that's so scary as much as how easily the worm spread and how difficult it is to eradicate.

Confickr/Downadup is nowhere near the scope of predecessor worms like Blaster, which hit 16 million at its peak, Slammer, CodeRed, or Love Letter, but its success has been confounding to security experts at a time when worms are considered pass and an ineffective way to make money in cybercrime.

Still, the attackers behind this worm infection -- which experts say will likely be rolled into the world's biggest botnet -- apparently have found a lucrative way to cash in on a worm. They devised a sophisticated method of spreading the worm, using not a standard email lure, but initially via the Microsoft MS08-067 vulnerability in Windows and subsequently infiltrating enterprise networks and spreading through open network shares, weak passwords, and removable storage devices, such as USB sticks.

"These guys were very creative. They combined so many techniques to get it out there to the masses," says Jay Chaudhry, CEO of Zscaler.

Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."

How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success. The good news here, however, is that because most of the infected machines are in the enterprise, the worm should ultimately be easier to clean up in the long run. "The fact that most of these machines are on corporate networks means it should be easier to more quickly deal with it as well," notes Randy Abrams, director of technical education at Eset.

So far, however, cleanup has been complicated due to the mix of infection vectors. Even patched systems are at risk. "Even if you have patched your network/computer for the MS08-067 vulnerability, you can still get infected by the network spreading through [admin passwords] or by USB memory sticks," F-Secure's Runald says. "To prevent this, you need an up-to-date antivirus product, but as the worm blocks access to many vendors' sites, it could be that your antivirus software doesn't have the latest update."

That's why the newly updated Microsoft Malicious Software Removal Tool (MSRT) has not been widely effective in cleaning up the worm-infested machines, he says. "The worm blocks access to Windows Update," Runald says.

Adds Zscaler's Chaudhry: "The worm itself is not a big deal. The whole system whereby [it infects machines]" and gathers bots is the big threat.

Meanwhile, one of the largest spamming botnets today, Ozdok, is expanding its capabilities. Ozdok, which has 120,000 bots, is now collecting screenshots of its victims' machines, according to Joe Stewart, director of malware research for SecureWorks, which discovered thousands of screenshots on a crime server.

Stewart says capturing screenshots is nothing new for backdoor Trojans, but it's the first time a spamming botnet has been seen doing so. He says the spammers may be grabbing screenshots as a way to search for intellectual property or financial credentials.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights