Researchers wait for Downadup worm's second act

Security researchers at a loss as to what hackers plan to do with the massive Downadup botnet.

Symantec security development VP Alfred Huger

Symantec security development VP Alfred Huger

The worm that's infected millions of Windows PCs is a "very well-engineered" piece of malware, according to one security expert. But researchers still have no clear idea what the hackers plan to do with the collection of computers they've compromised with "Downadup."

"This is a very well-engineered piece of software," said Alfred Huger, vice president of development at Symantec's security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code."

Downadup, also called "Conficker," has infected an estimated 6 percent of PCs worldwide . The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

Huger was impressed by the technical chops of Downadup's maker, or makers. "The worm itself is very complex," he said. "At the byte level, it implements [things] in some novel ways." Compared to most malware, which Huger said is "written off the cuff," Downadup is downright elegant.

And effective. Most researchers, including those at Symantec, have said the worm is the most invasive seen in the last six years. "At a basic level, it tends to perform well, and that's helped it spread," said Huger.

"[Downadup creators] are trying to keep the other bad guys at bay...If they don't hurry up and [use] it, someone else will.

Symantec

But much more than hacker craft made Downadup a success, Huger maintained. Other elements, including timing, the countries at the top of the attack list and even software piracy rates contributed.

"They put this together in a very brief period of time," Huger said, referring to the spotting of the worm's first variant just three weeks after Microsoft issued an emergency patch .

The faster hackers can come up with an exploit and put it on the street, the better luck they usually have, for fewer users patch their machines in the first days or weeks after a vulnerability is fixed.

"Software piracy also plays a role," said Huger, noting that the countries that Symantec has seen Downadup at its most successful -- in China, for instance, the worm has accounted for nearly a quarter of all recent infections -- also have historically high rates of running counterfeit software. People running Windows illegally are believed to patch their machines less rigorously than users with legitimate copies, for fear that Microsoft's anti-piracy technology will detect and mark the operating system as stolen.

Join the newsletter!

Error: Please check your email address.

Tags wormdownadupmalware

More about ACTAMPF-SecureMicrosoftSymantec

Show Comments

Market Place