New Windows worm builds massive botnet

New worm a global threat with potential to do real damage, security researcher warns.

The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is being used to build a new botnet, a security researcher said Monday.

Ivan Macalintal, a senior research engineer with Trend Micro, said that the worm, which his company has dubbed "Downad.a" -- it's called "Conficker.a" by Microsoft and "Downadup" by Symantec -- is a key component in a new botnet that criminals are creating.

"We think 500,000 is a ball park figure," said Macalintal when asked the size of the new botnet. "That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's still starting to grow."

Last week, Microsoft warned that the worm was behind a spike in exploits of a bug in the Windows Server service, which is used by the operating system to connect to network file and print servers. Microsoft patched the service with an emergency fix it issued Oct. 23, shortly after it discovered a small number of infected PCs in Southeast Asia.

However, the new worm is a global threat, said Macalintal. "This has real potential to do damage," he said. Trend Micro has spotted infected IP addresses on the networks of Internet service providers (ISPs) in the U.S., China, India, the Middle East, Europe and Latin America.

The worm first appeared about a week and a half ago, and began spreading in earnest just before Thanksgiving, he added.

Macalintal also said that it appears the botnet is being built by a new group of cyber-criminals, not one of the gangs that lost control of compromised computers when McColo, a California hosting company, was yanked off the Internet. When McColo went offline, crooks lost access to the command-and-control servers which gave marching orders to some of the world's biggest botnets, including "Srizbi" and "Rustock."

One result of the McColo takedown was a temporary slump in spam; some message security vendors said last week that they had seen a sharp increase in spam as the hackers managed to regain control of their botnets.

Security experts, including those at Trend Micro, are coordinating efforts, said Macalintal, to pass along their lists of worm-infected PCs to ISPs, who have been asked to contact the computers' owners and urge them to clean their machines of the worm.

"But that's an uphill climb," admitted Macalintal.

Users who haven't applied the emergency patch -- labeled MS08-067 by Microsoft -- should do so as soon as possible, Macalintal said.

More about: Microsoft, Sharp, Symantec, Trend Micro
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: botnets, trend micro, worm
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/20/adawarefree/

Lavasoft Ad-Aware Free

Ad-Aware Free has long been one of the most popular spyware killers on the planet, and with good reason. It's simple to use, does an ...

HP and IDG news, product videos and resources

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia