If you've been seeing this message in your web browser lately, you are not alone:
Microsoft Not Found
Millions of other people are also finding that they can't reach microsoft.com or can't load antivirus websites. The reason is they are infected by the Downadup worm.
Downadup (also called Downad, Kido, Conficker or Conflicker) is a Windows worm that spreads by exploiting weak administrator passwords, use of autorun on removable and network drives, and the MS08-067 exploit.
Once installed, the worm does the following things:
To date SecureWorks has not witnessed any successful downloads of second-stage code, however, it is believed the intention of the worm may be to install rogue anti-virus software in an attempt to scare payment out of infected users.
Despite using fairly old and well-known spreading vectors, and a patch being available for MS08-067 for months now, the worm is having fairly good success at spreading to networks worldwide. Estimates are currently around 10M infected machines, although it is possible that machines are being counted multiple times by some entities. Whatever the real number of infected machines, it is certainly possible that it has infected millions of machines around the world based on the sheer number of IP addresses hitting sinkhole servers that have been set up for observation.
Key indicators of an infection are:
The problem of Conficker/Downadup cleanup is exacerbated by the fact that the worm blocks the download of potential removal tools, including Microsoft's own Malicious Software Removal Tool (MSRT) which has been updated to remove Conficker/Downadup. It does this by hooking the system DNS and networking APIs and blocking DNS lookups where certain strings are present in the domain name.
The complete list of strings blocked in DNS requests is below:
Obviously not being able to reach any of these domains makes it difficult for an infected party to find information on or cleanup tools for the worm. However, the worm does not prevent use of a proxy server to reach the same websites, so in organizations where a proxy server is already in use for web traffic, removal may be easier.