Downadup/Conflicker Worm Becoming an Epidemic

The Downadup worm is striking back, and its assault has affected 10 million PCs this week alone.

The National Cyber Security Alliance issued a warning this afternoon, revealing that a complex computer worm known as the Downadup - also known as Conflicker - has not only infected corporate networks, but managed to infect more than 10 million computers this week. Naturally, the worm focuses on Microsoft Windows and gains access to networks by guessing corporate passwords. Once cracked, the worm thus infects a computer and the entire network of servers it is connected to; they even infect connected USB sticks. Unfortunately, the worm is extremely difficult to remove, especially when it resides within a network.

To fight against the worm infestation, the NCSA says that consumers need to install a patch from Microsoft (released in October to fix a vulnerability in the Microsoft Server service) as well as use long, difficult passwords that cannot be deciphered. "This extremely explosive worm outbreak shows that we all need to constantly keep our defenses up," said Michael Kaiser, executive director of The National Cyber Security Alliance. "The best way computer users can protect themselves is to use the most-up-to-date operating systems, anti-virus, firewall and spyware software, in addition to employing secure behaviors such as using complex passwords."

The NCSA said that consumers should not only change passwords immediately, but do so every 90 days. Passwords should contain a least eight characters, using upper case and lower case letters as well as numbers and symbols. Consumers should avoid using common words, personal information (birth date, child's name etc), and withhold from storing the passwords in a document on the computer.

Last week, F-Secure distributed a press release warning consumers to make sure that antivirus software is up-to-date, to turn off AUTORUN and AUTOPLAY for USB sticks, and restrict USB stick usage. Consumers and corporations should also block unnecessary traffic at firewalls.

"Downadup uses several different methods to spread," the company explained. "These include using the recently patched vulnerability in Windows Server Service, guessing network passwords and infecting USB sticks. As an end result, once the malware gains access to the inside of a corporate network, it can be unusually hard to eradicate fully."

Problems resulting from infection include locking out network users from their accounts while it attempts to crack network passwords by brute force (guessing). The worm sets Access Rights to the files and registry keys it uses, thereby preventing users from removing or changing them.  The worm also downloads modified versions of itself from a long list of websites (with names generated by an algorithm based on current date and time). The worm also blocks access to multiple domains, including Microsoft. But the biggest threat is its ability to download and install additional malware from malicious websites, handing complete control of the user's PC over to the worm authors.

According to F-Secure, the worm has infected over one million PCs in the last 24 hours, totaling up to a whopping 3.52 machines (a conservative estimate); infected machines total between 2.4 million and 8.9 million PCs in the last four days.

Microsoft originally addressed the worm back in October and released an emergency patch to address the Server service issue, however many systems remain unprotected, mostly PCs running Windows XP and older versions, deemed as "potentially wormable." The infection rate is alarming, and has companies such as F-Secure on red alert.

"The situation with Downadup is not getting better. It's getting worse," said F-Secure's Toni Kovunen in a blog post Friday.

Microsoft, on the other hand, says that consumers should update its Malicious Software Removal Tool and scan all files for the Conflicker/Downadup worm.