Feeds

Final countdown to Conficker 'activation' begins

T-minus six

Next gen security for virtualised datacentres

Ferguson has put together a couple of useful graphics illustrating how Conficker works, in an analysis here.

The most detailed and thorough technical analysis of the worm's behaviour can be found in a paper by SRI International here.

Birth of a superworm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm's attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

Compromised Windows PCs, however the infection happens, become drones in a botnet, which is yet to be activated. It's unclear who created or now controls this huge resource.

Estimates of the number of machines infected by Conficker vary, from barely over a million to 12 or even 15 million. More reliable estimated suggest that between 3-4 million compromised systems at any one time might be closer to the mark.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: "Why go through all of this effort to create such a huge botnet then not utilize it for something?"

"In a financially motivated economy it doesn't make sense to not rent it out or sell it off," he adds. ®

Bootnote

The humour potential of the April Fool's Day timing of Conficker's change of gears hasn't been lost on security researcher, some of who has mined a vein of horror and computer security cross-over humour.

Noted security researcher Chris Boyd of FaceTime Security notes the April Fool's Day significance of Conficker's "activation" date with a series of wry Conficker prediction such as "Sadako crawls out of your TFT monitor and EATS YOUR FACE" and "Satan himself emerges from your mouse wheel, whines about convergent technology then EATS YOUR FACE", that can be found here.

More seriously Symantec notes that searches for the term Conficker C have been contaminated to point at sites offering scareware packages, using black-hat search engine optimisation techniques. Be careful out there.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.