Smokey's Security Weblog

veritas odium parit

Outbreak of the polymorphic worm Downadup aka Conficker aka Kido

Posted Jan 15, 2009

– Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
– Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
– Revision v1.02, Jan 17, 2009: Added worm symptoms and a link to the infection calculations performed by F-Secure.
– Revision v1.03, Jan 17, 2009: Added effective protection measures against the worm.
– Revision v1.04, Jan 23, 2009: Worm/malware removal/disinfection tools updated.
– Revision v1.05, Feb 08, 2009: OpenDNS/Kasperky Lab tracking and blocking services added.

The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]

Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.

“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.

The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:

It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as and With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.

Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….

Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.

Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:

“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”

Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.

“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.

One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.

According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.

Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.

Sources/references of this outbreak alert and background information:

Kaspersky Lab

Symptoms of the worm:–Win32.Worm.Downadup.Gen.html

Removal and disinfection tools:

Kaspersky Lab –
Symantec –

List of domains that are currently distributing the Downadup worm and its variants:

Complete/effective protection measures against the worm, apply all 3 measures:

1. Apply Microsoft patch MS08-067:
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used):
3. Completely disable the AutoRun function, this is a brutal but highly effective hack:

Free Support, Help and Assistance if your PC is infected by this worm and/or any other piece of malware:,5.0.html

Update Feb 08, 2009: OpenDNS/Kasperky Lab offer free tracking and blocking services.


January 15, 2009 - Posted by | Advisories, Alerts, Anti-Virus, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , ,


  1. […] Computing and Preventing Malware Infections The current outbreak of the polymorphic worm Downadup, aka Conficker and Kido, and all its variants make very clear that many users don’t act in a responsable and secure way. After all, at the […]

    Pingback by Safe Computing and Preventing Malware Infections « Smokey’s Security Weblog | January 17, 2009 | Reply

  2. […] articles about these two worms qualifying them as “polymorphic worms” (example of an article presenting Kido & Conficker as polymorphic)… Actually this is not the case. Even if their versions have changed rapidly, and even if the […]

    Pingback by Connected to SecurActive» Blog Archive » Defend yourself against new threats: Conficker, polymorphic worms, 0 day attacks… | July 8, 2009 | Reply

  3. […] [12] Presentation of Kido & Conficker as polymorphic […]

    Pingback by SecurActive blog» Blog Archive » Defend yourself against new threats: Conficker, polymorphic worms, 0 day attacks… | March 17, 2010 | Reply

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: