"This makes it impossible and/or impractical for us good guys to shut them all down," acknowledged Hypponen in a blog entry . "The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website, and they then gain access to all of the infected machines. Pretty clever." Even so, F-Secure has registered some of the possible hosting domains so that it can eavesdrop on the attackers and get an idea of the number of infected PCs.
Other security firms have tried to pre-empt hackers by registering domains that they may use, but with mixed results. Last November, FireEye Inc. tried to stay ahead of criminals operating the "Srizbi" botnet by registering several hundred domains being used to resurrect the infected PC army, but had to give up the game when it got too costly.
"We have registered a couple hundred domains," said Fengmin Gong, chief security content officer at FireEye, at the time. "But we made the decision that we cannot afford to spend so much money to keep registering so many [domain] names."
As soon as FireEye conceded, the hackers were able to reestablish communication with their bots.
It's not clear whether the hackers behind Downadup are building a botnet of their own, said Joe Stewart, a senior security researcher at SecureWorks Inc., in an interview today. For the moment, they seem satisfied feeding victims fake security software, which pesters users with pop-ups until they pay for the worthless program.
F-Secure's Hypponen, however, sounded worried about the possibility that machines infected with Downadup would be converted into bots. "It would make for one big badass botnet," he said.