To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The latest version of Conficker/Downadup went live April 1, ringing up more domains in an attempt to download orders, but as expected the slim chance for Internet mayhem wasn't realized. The security researchers, part of a collaboration known as the Conficker Working Group, have long cracked the worm's domain algorithm and have so far been successful in blocking its ability to receive orders.
"The code's been cracked and folks have a sense for the nature of the command and control environment and that's one of the reasons why I haven't been too concerned," said Pete Lindstrom, research director at Spire Security. "The good guys have done a really good job of coming up with ways to identify and eradicate any impact that Conficker had."
The latest version of Conficker, known as Conficker.c or Conficker.d by Microsoft, began randomly selecting 500 domains from a pool 50,000 domain names generated per day instead of 250 domains it selected with previous versions. Security researchers are also trying to monitor its peer-to-peer (P2P) mechanism designed to spread updates to other Conficker infected machines, albeit very slowly.
It's unclear how many machines are infected worldwide. At its peak in January security vendor F-Secure Corp. estimated about 10 million machines infected. Others say the figure is much lower estimating about 3 million Conficker infected computers globally with the bulk of them in Asia and Eastern Europe. Holly Stewart, IBM X-Force threat response manager released statistics showing China, Russia and Brazil with the most infections. Stewart declined to release more detailed figures, comparing Conficker to other malware.
"We're just looking at general network activity of this one variant of malware," she said. "I don't have good stats that would tell you one way or the other how this is comparatively speaking."
The worm is exploiting a Microsoft remote procedure call (RPC) vulnerability, which was patched by the software giant in an emergency release in October. Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat's globally, according to data released at Conficker's peak in January by TippingPoint's DVLabs' IPS filters. It has been well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint's honeypots.
Security researchers have been studying ways to detect and destroy the worm. A team from the non-profit Honeynet Project released a network scanning tool on Monday that could remotely detect Conficker on the network. IBM released a signature for users of its intrusion detection systems last week that detects network anomalies caused by the worm's peer-to-peer communications and traces it back to a machine's network IP address.
"This is a passive scan," said IBM's Stewart. "Our researchers have found a way to crack the code and pick up peer-to-peer chatter on networks."