<<<
NEWS FROM THE LAB - Tuesday, January 13, 2009
>>>
 

 
How Big is Downadup? Very Big. Posted by Mikko @ 11:21 GMT

Downadup worms attempt to call home.

They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.

They could build a large botnet for example. The framework is in place.

Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.

Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.

Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.

This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.

But we can play this game as well.

So we've determined the possible domains and have registered some of them for ourselves.

Which means the infected machines will also connect to us.

We could attempt to manipulate the infected machines. But of course we won't. In fact, we won't be doing anything at all to them – not even disinfect them – as that could be seen as "unauthorized use". That is illegal, at least in many jurisdictions. (Doing something without being asked is also a very large ethical question…) Look but don't touch is the golden rule.

But this looking and listening does gain us a unique visibility inside and we can see just how large the number of infected machines is.

Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered.

A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.

Toni Koivunen from our Response Team has used some additional tricks to come up with an estimate on just how many infected machines there really are.

Toni's final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher.

It would make for one big badass botnet.

And where in the world are these infections? We're glad you asked. We resolved the IPs to countries and here are the results.

Number of IPsRegistered country of the IP
38,277China
34,814Brazil
24,526Russia
16,497India
14,767Ukraine
13,115Italy
11,675Argentina
11,117Korea
8,861Romania
6,166Indonesia
5,882Chile
5,531Taiwan
5,162Malaysia
4,392Germany
4,261Philippines
3,958United States
3,719Colombia
3,307Spain
3191Thailand
2,871Kazakhstan
2,828Venezuela
2,685Mexico
2,518Europe (resolved to EU)
2,337France
1,901Bulgaria
1,789United Kingdom
1,655Pakistan
1,636Turkey
1,544Saudi Arabia
1,399Hungary
1,389Iran
1,272Poland
1,259Macedonia
1,193Japan
1,052Portugal
1,029Vietnam


These are the raw unique IPs; you could think of this as China having 38,277 infected companies, not persons.