New Massive Botnet Building On Windows Hole

CWmike writes "The worm exploiting a critical Windows bug that Microsoft patched with an emergency fix in late October is now being used to build a fast-growing botnet, said Ivan Macalintal, a senior research engineer with Trend Micro. Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with McColo, is creating. 'We think 500,000 is a ballpark figure,' said Macalintal when asked the size of the new botnet. 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's... starting to grow.'"

Re:Idiots

[Brain Damaged Bogan]

I would imagine that most pirated copies of windows wouldn't use auto update, you don't want your pirated OS contacting the developer whenever it feels like.

Re:Idiots

[imemyself]

I believe that MS actually does provide security updates for systems that do not pass WGA.

Re:Going around my work already

[Anonymous Coward]

Yeah, speaking of idiots...

his has been going around our work computers for about a week.

Re:Idiots

[LtGordon]

Systems that do not pass WGA are only allowed access to "critical" updates.

Re:Go vigilante

[Surreal Puppet]

Take a look at Schneier's arguments against this: http://www.schneier.com/blog/archives/2008/02/benevolent_worm_1.html [schneier.com]. One additional point is that stack/heap overflows and other memory-corrupting vulnerabilities often can't be made to be 100% reliable, and can be difficult to code for different service packs and such. This can be, and is, coded around as a matter of course, but a bug in the exploitation process can have disastrous and unpredictable results (in this case, interruption of a large swath of critical internal office file sharing networks.) This doesn't matter to the criminals, but it presumably matters to any prospective "grey hat" worm authors.

Re:Idiots

[The Bungi]

Which this particular patch qualifies as.

Re:Idiots

[nabsltd]

Auto-update works if you have a legitimate copy of Windows, and there are plenty of people using pirated copies of Windows which do not qualify for the "genuine advantage" required by Windows Update.

If someone is already using a pirated copy of Windows as their desktop OS, then they probably wouldn't have a problem running a pirated copy of Windows 2003, either.

In which case, they can then download Windows Server Update Services [microsoft.com] which doesn't require WGA to download. After installing WSUS on Win2K3, they can configure it to only download updates matching the pirated MS software they have, and then individually approve or reject updates. They would then configure all the systems to retrieve the approved updates from the WSUS server.

By doing this, every update is available, and WGA is never installed on any of the systems.

Re:Go vigilante

[techno-vampire]

Personally, I'd rather see Microsoft put the effort into writing a version of Windows that doesn't have all those vulnerabilities in the first place. Of course, that would mean throwing out an awful lot of old code and that goes against their corporate culture, so I'm not holding my breath.

Re:Idiots

[master811]

That's not true, systems will still get access to the "recommended" updates as well if Auto-Update is set. I don't understand it myself as the same updates can't be accessed without validating, but they appear fine if you have it set to automatic (and don't use the windows update website).

Re:Idiots

[The MAZZTer]

Rootkits are not undetectable. Though in theory they can be, in practice fully scrubbing the files from all file request APIs can be difficult. Most scanners will use the high-level APIs (which are most likely to be manipulated by rootkits) as well as a low-level API (such as undocumented kernel functions or even direct hard drive access) which is far more difficult for the rootkit to manipulate... then they compare the results of the two scans. Any discrepancies are reported to the user as possible rootkits. MS hides some system-critical files from normal viewing, even if you choose to show system and hidden files, such as the master file table:

C:\>dir $*
Volume in drive C is Windows XP
Volume Serial Number is DEAD-BEEF

Directory of C:\

File Not Found

C:\>type nonexistantfile
The system cannot find the file specified.

C:\>type $MFT
Access is denied.

(Yes that is my real volume serial number. No it wasn't like that when I got it, I changed it.)

These files are small in number and so hard-coded into most rootkit scanners to ignore. Other legit reasons for discrepancies can be attributed to files being created or deleted between the two scans. Anything that's left can be Googled or otherwise analyzed to determine if it is a rootkit.

Of course an even easier way to find rootkits is to boot from a known rootkit-free environment (BartPE, Linux LiveCD) and run a scan on the suspected rootkit-infected volume.