The worm, dubbed Conficker, Downadup, or Kido, spreads via a vulnerability that Microsoft patched in October 2008. Once on a machine it sets up an HTTP server and resets a machine's System Restore point to stop administrators deleting it.
“The number of Downadup infections are skyrocketing based on our calculations,” said F-Secure in its blog
“From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.”
The worm contains the usual Trojan package that allows the controller to download new files from their own server. But in an unusual twist the malware generates hundreds of seemingly random domain names to scan for updates, making it much harder to track the one used by the malware writer.
“Our advice is to block all incoming and outgoing traffic on port 445 from those computers to ensure that
(a) they aren’t hit with exploits from the internet and (b) if they somehow are exploited, they aren’t able to infect the rest of the network via file shares,” said Graham Cluley, senior technology consultant for Sophos.
“Furthermore, if you have a group policy in place to lock out accounts after too many unsuccessful login attempts, the worm will probably cause many of these accounts to become locked out during the worm’s password cracking attempts. This can obviously be annoying, but at the same time it is a good indicator that you may have an infected computer on the network.”
Servers in the US and Europe have had fewest infections due to regular updating by IT administrators. China, Brazil and Russia have been hit hardest according to F-Secure.