They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.
They could build a large botnet for example. The framework is in place.
Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.
Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.
Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.
This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.
However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.
But we can play this game as well.
So we've determined the possible domains and have registered some of them for ourselves.
Which means the infected machines will also connect to us.
We could attempt to manipulate the infected machines. But of course we won't. In fact, we won't be doing anything at all to them – not even disinfect them – as that could be seen as "unauthorized use". That is illegal, at least in many jurisdictions. (Doing something without being asked is also a very large ethical question…) Look but don't touch is the golden rule.
But this looking and listening does gain us a unique visibility inside and we can see just how large the number of infected machines is.
Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered.
A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.
Toni Koivunen from our Response Team has used some additional tricks to come up with an estimate on just how many infected machines there really are.
Toni's final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher.
It would make for one big badass botnet.
And where in the world are these infections? We're glad you asked. We resolved the IPs to countries and here are the results.
Number of IPs
Registered country of the IP
38,277
China
34,814
Brazil
24,526
Russia
16,497
India
14,767
Ukraine
13,115
Italy
11,675
Argentina
11,117
Korea
8,861
Romania
6,166
Indonesia
5,882
Chile
5,531
Taiwan
5,162
Malaysia
4,392
Germany
4,261
Philippines
3,958
United States
3,719
Colombia
3,307
Spain
3191
Thailand
2,871
Kazakhstan
2,828
Venezuela
2,685
Mexico
2,518
Europe (resolved to EU)
2,337
France
1,901
Bulgaria
1,789
United Kingdom
1,655
Pakistan
1,636
Turkey
1,544
Saudi Arabia
1,399
Hungary
1,389
Iran
1,272
Poland
1,259
Macedonia
1,193
Japan
1,052
Portugal
1,029
Vietnam
These are the raw unique IPs; you could think of this as China having 38,277 infected companies, not persons.