An Update on Downadup Worm


Last month I told you about the Downadup worm and its affect on systems worldwide. At the time of that post, the worm was estimated to have infected 9 million PCs. Today, experts estimate that the worm has infected more than 15 million PCs and is growing at an alarming rate. According to F-Secure, a lab that analyzes viruses, phishing, spyware, and spam attacks, the worm has logged more than 1.9 million IP addresses in a single day.


Downadup, also known as Conficker, Downup and Kido, is a worm that affects the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7 beta. Specifically, the worm disables a number of services such as Windows Automatic Updates, Windows Security Center and Windows Defender by spreading itself through a buffer overflow vulnerability using Remote Procedure Calls (RPC).


Last week, technology industry leaders and academics -- including Symantec, Microsoft, ICANN, Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International, MD Global, AOL, F-Secure, Georgia Tech, and the Shadowserver Foundation -- joined forces to combat the worm. The first order of the group is to stop its propagation.


The group has already reverse engineered the code of the worm and now understands the pseudo-random domain generation algorithm that it uses to check a daily list of some 250 domains for updates.


As if this were not enough, Microsoft has stepped up and is offering $250,000 for information that leads to the arrest and conviction of the worm's creator. Kudos to Microsoft for taking the lead on the initiative. With so much firepower being thrown at this, it will only be a matter of time before the perpetrators are caught. I think they should get one day in prison for every PC they infected. What do you think is a fair sentence?