Conficker botnet wake up call only pinged zombie minority
The effective size of the Conficker botnet might be far smaller than previously thought.
Last week machines infected with the latest variant of Conficker began to download additional components - files associated with the rogue anti-malware application SpywareProtect2009 and a notorious botnet client, Waledac - via the worm's built-in P2P update mechanism.
Security researchers at Kaspersky Lab have developed an application that analyses the P2P network communications associated with the malware. Over a 24-hour observation period, Kaspersky analysts spotted 200,652 unique IP addresses participating in the network, far less than initial estimates of infected Conficker hosts that ran into the millions.
However Kaspersky notes that the low volume is explained by the fact that only the latest variants of the worm are communicating via the monitored P2P network. In addition, only a minority of the nodes infected with earlier variants of the worm have been updated to the latest version.
A more detailed analysis, including geographical breakdown of compromised hosts, can be found on Kaspersky's blog here. ®