Just give us a call or send us an e-mail, we'll help you get started.
Blog Index

Downadup Worm spreads to 3.5 Million Machines

added by Michael on 15 Jan 2009

A creative new worm takes advantage of a hole Microsoft patched in October of last year.

Too bad people don't update their machines.  From InformationWeek.COM:

What makes this worm interesting is the ability its creators have put in place to update all of the infected machines each day. While most malware networks may have a few domains each infected machine will use to "call home" and get updates, the Downadup authors have created a system where an algorithm generates many different domains every day. Here's how F-Secure explained it in its blog post:

It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google (NSDQ: GOOG).com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.

Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.

This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

This means that the hackers who wrote the worm can register oneof those domains, someday, and wait for the infected machines to contact them.  When they do, they give the infected machine some code to run, and poof: instant and gigantic BotNet, ready to attack targets and send out spam.