How to beat Downadup at its own game

[Updated on Jan 16: number of infected machines is now just under 9 million]
[Updated on Jan 14: number of infected machines is now 3,521,230 up 1 million from the previous day]

Downadup is one of those fascinating pieces of malware that connects to various web addresses to download and install a predefined executable - which could allow more malware to be loaded.

Where Downadup is different from other botnets is the way in which it chooses, on a predefined basis, the names of the web addresses it will check on a particular day. Instead of a traditional list of preregistered web domains (e.g.,, etc), Downadup has a complex algorithm that generates domain names which change daily and use timestamps from other public web sites to come up with things like "qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org."

While the good guys can examine the code and thus be able to predict which domain name the worm will use on a given day, they cannot actually take control of the compromised machines which connect to them as it would be considered illegal in many countries. So instead, they patiently waited and counted the number of machines connecting. The tally so far: almost 2.4 million machines infected by the Downadup worm.

Src: How Big is Downadup? Very Big. | F-Secure Weblog
Update1: More than One million new infections | F-Secure Weblog
Update2: Worm infects 1.1M Windows PCs in 24 hours | ComputerWorld
Update3: Latest F-Secure Blog entry

No comments: