, SecurityFocus 2009-12-16
Conficker may be under control, but the malicious family of programs is resident on more than 6.5 million computers worldwide, with more than 5 percent of some network's Internet addresses showing signs of infection.
On Wednesday, the ShadowServer Foundation took the wraps off a revamped statistics page, showing how far the three main variants of Conficker have spread and the degree to which the world's networks are infected. More than 12,000 networks, as represented by their autonomous system numbers (ASNs), show signs of infection by Conficker. The ShadowServer Foundation limited their displayed data to the top 500 networks.
"Our major goal is to show how far and wide Conficker has spread and where Conficker really has a foothold," said André DiMino, founder and director of the ShadowServer Foundation.
The team of volunteer researchers, which helped to establish the Conficker Working Group early this year, collects data from its member organizations.
The ShadowServer data groups Conficker into two classes. Conficker A+B consists of the first two variants of the program, which attempt to spread automatically. Conficker C, a variant that appeared in March, has no way to propagate unless it is updated. Overall, the number Internet addresses showing signs of infection by Conficker A+B are increasing, while signs of Conficker C infection are decreasing.
The data shows that, while large countries -- such as China -- have a large number of Conficker-infected machines, proportionally only 1 percent of the IP space of the country's largest network shows signs of infection. On the other hand, large networks in countries such as Vietnam, Indonesia and Ukraine have more than 5 percent of their address space showing signs of infection.
Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm initially spread using a vulnerability in Microsoft Windows and contacted 250 random domains to check for updates. By April, Conficker had morphed into a botnet that maintained peer-to-peer connections, but no longer spread automatically. Where the first versions of the program contacted 250 random domains, the latest version generates 50,000 random domains every day and contacts 500 of them for updates.
Since early this year, the Conficker Working Group has preregistered the domains to block the software from updating itself.
"Every day the security companies spend time and money to register domains," said Tom Cross, a security researcher with IBM's X-Force. "They are doing it altruistically. If they give up because no one cares, and they stop registering those domains, then the bot masters can start using the botnet again."
Yet, despite having infected 6.5 million systems, Conficker is a threat that is largely contained, said DiMino. In early October, the number of Internet protocol (IP) addresses showing signs of infection peaked at slightly more than 7 million, falling since then. Some countries -- such as Brazil -- have focused on identifying and cleaning compromised systems. The ShadowServer data shows that the country has had some success.
"Everyone is talking about Brazil (as a major source of Conficker traffic), but they have been working hard at reducing Conficker," DiMino said.
The ShadowServer Foundation will provide an in-depth report for free to any network operator that contacts them. The reports list the specific IP addressed from which Conficker traffic has been detected.
If you have tips or insights on this topic, please contact SecurityFocus.