The largest corporate malware outbreak in more than seven years may be affecting organizations that are fully patched, researchers said Friday.
Nearly nine million machines worldwide have been infected with the Downadup, or Conficker, worm — including some 6.5 million in the past four days alone, said Mikko Hypponen, the chief research officer of anti-virus firm F-Secure. That makes this the biggest corporate virus outbreak since Nimda unleashed its fury in 2001.
What makes the malware particularly viable, he said, is that it can spread in three distinct ways, only one of which can be closed off by applying an emergency fix (MS08-067) that Microsoft issued in October for a Windows Server Service vulnerability.
At the start of this month, the exploit morphed into a worm that can propagate through removable media devices or by copying itself to network shares, through brute-force password-guessing, Hypponen said. It bucks the trend of modern malware, which largely is spread via the web or through email.
“The user doesn’t have to be on the computer,” he told SCMagazineUS.com on Friday. “He can be away and still get infected.”
As soon as this worm correctly guesses the password of a user who belongs to the administrator group, the malware will browse the network shares of other machines, mount the C-drive and then use its privileges to schedule a task, in this case, infect that share with a copy of itself.
“Once the worm is able to crack the password of any user who belongs to an admin group, then it’s game over,” Hypponen said. “Once you have one infected machine in house…it can spread like wildfire. It can happen even if every single machine is patched.”
At this point, it remains unclear what the motive is of the malware writers, Hypponen said. Even though the worm has capabilities to “phone home” to receive additional instructions from a command-and-control center, researchers have not spotted any botnet traffic.
The only tangible impact on businesses is that employees may be unable to reach certain websites and may get locked out of their accounts, a product of the worm trying to guess passwords, he said. Also, the virus turns off Windows updates.
Either way, the individuals behind the attack are amassing an enormous botnet, researchers said. IP addresses from across the globe are affected, with the most victim machines residing in China, Brazil, Russia and India, according to F-Secure. But there are thousands of compromised computers in the United States.
To stop the spread, organizations, among other things, should ensure end-users are not using local administrative rights, Hypponen said.
A Microsoft spokesperson could not be reached for comment, but the software giant has said its Malicious Software Removal Tool will detect and eliminate the malware. But Hypponen warned that anti-virus solutions may not always work because the malware is constantly changing to evade detection.
Tips for businesses to defend against Downadup
- Patch all workstations and servers against MS08-067.
- Disable “autorun” and “autoplay” on all workstations.
- Ensure that shares such as “ADMIN$” are not accessible from standard workstations.
- Prevent end-users from using local admin rights.
- Eliminate unecessary domain accounts with local admin rights.
- Advise administrators to not work as “administrator” and to use “run as” when required.