Downadup spreads to an estimated total of 8.9 million PCs

News by Dan Raywood

The Downadup virus spread to an estimated total of 8.9 million PCs over the last four days.

The Downadup virus spread to an estimated total of 8.9 million PCs over the last four days.


F-Secure claimed that the total calculation on Saturday was 8,976,038 infections worldwide and 353,495 unique IP addresses, which it claimed ‘is not getting better, it is getting worse'. 

Posting on a company blog, researchers claimed that there are several different variants of Downadup circulating, and though the algorithm to create the domain names varies between the variants, F-Secure has been tracking the variant it believes to be most common.


The company said: “It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them. It's hard to tell the real number of infections, since NAT boxes and proxies tend to spoil the fun and Downadup doesn't include a unique identifier within the user-agent string for us to see. We first tried to count unique user-agent headers per IP address, but the results weren't very good as in a standardised corporate network, most machines have identical user-agents.


“So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully.”

Researchers further claimed that it has written a program that parses the logs, extracting the highest ‘q' value for the IP/user-agent pairs, and this is showing that more than eight million machines have been infected.


Robert McArdle, threats analyst at Trend Micro, said: “So why is this worm so successful? Simple - poor security policies. The first propagation technique is really exploiting poor patch management. A patch for this vulnerability has been available since late last year, but still some administrators (or the safety representatives) have not properly rolled this out to all machines on their network.


“Remember even one unpatched machine is enough to have this worm spread through the entire network.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews