The Register® — Biting the hand that feeds IT

Feeds

Conficker zombie botnet drops to 3.5 million

Map of the Problematique

By John Leyden, 3rd April 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The "activation" of Windows machines infected with the latest variant of the Conficker worm has allowed security watchers to come up with a far more accurate estimate of how many machines are infected.

Early versions of Conficker called home to 250 different domain names every day to check for updates. Since Wednesday, machines infected by with the latest version of the worm (Conficker-C) began using a sample of 500 out of pre-programmed 50,000 domains a day to search for upgrades.

The unknown virus writers who created the worm are yet to publish any such update, but the call-back behaviour has allowed anti-virus firms to come up with an estimate of how many machines are infected by Conficker-C for the first time.

Vietnamese antivirus firm Bkis reckons 1.3m machines are infected with Conficker-C. A breakdown of infections by country, compiled by Bkis, can be found here. The combined number of computers infected by Conficker A and B is 2.2m, according to Bkis.

That total of around 3.5m is in line with a detailed technical analysis by Conficker which puts the size of the Conficker botnet at between three and four million strong.

IBM's X-Force has a mash-up using Google Maps or Conficker infections across the world, which can be found here. The Conficker Working Group has published more detailed infection maps here.

Estimates of the number of machines ever infected by Conficker vary from ten to 15 million, but these figures ignored disinfections and other factors. It's more meaningful to talk of the current number of zombie drones rather than the number ever infected, because it gives a much better idea of the potential for harm.

As predicted by security watchers beforehand, Conficker's 1 April "activation" passed by without anything happening, much like previous malware trigger dates associated with nuisances such as the Michelangelo virus (1992), CIH (1999), SoBig (2003), and MyDoom (2004). The unknown authors of Conficker didn't publish updates on 1 April, but since infected machines check for updates on a daily basis it would be wrong to think that the threat has passed. Updates using the P2P mechanism built into the worm are also possible.

F-Secure has compiled an updated, informative FAQ on Conficker here, which cover important questions such as how to tell if you're infected and much more besides. Conficker blocks access to security sites, a factor exploited by Joe Stewart of the Conficker Working Group to create a simple test here. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (11)
Latest Comments
Goat Jam

What the hell are those Confickers up to anyway?

I wish they'd pull the pin already.

I mean FFS, all the 'doze admins here need to be woken up every now and then and I've been patiently waiting for Conficker to be switched on. So far nothing but boring stories guestimating the size of the botnet.

Yawn.

0
0
Neil

Conficker?

I'll eat when I get hungry

I'll drink when I get dry

If the life I live don't kill me

Then I guess I'll never die

I'll tune up my fiddle

I'll rosin up my bow

And find a girl to hold me tight

Anywhere I go

Corn liquor corn liquor's what I cry

If you don't give me corn liquor boy

Somebody's gonna die

Somebody's gonna die oh lord

Somebody's gonna die

0
0
Steve Evans

How about...

How about this for a revolutionary idea...

As this analysis is based on the IPs of the infected machines, how about emailing the ISPs who control these IPs and asking them to inform the user who had that IP allocated at the time of their infection, and pass them some useful links to help them remove the infection...

The mechanism almost already exists on some ISPs to allow the RIAA to pump out the automated "You are an evil pirate, prepare to be cut off!" emails.

This does assume the ISPs give a sh*t of course!

0
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Internet fraud still stings suckers
Australians twice as gullible as Americans
35