Network News

X My Profile
View More Activity

Asia, Europe, S. America Biggest Conficker Targets

It's still not clear what, if anything, millions of Microsoft Windows systems infected with the much-hyped Conficker worm will do in the next 12 hours, when the systems are expected to seek out new instructions from the worm's author(s). If anything significant does happen, however, it will disproportionately affect PCs and networks in Asia, Europe and South America, and comparatively few systems in North America, new research suggests.

issconfick.JPG

Researchers at IBM's Internet Security Systems say they found a way to decode the encryption that masks the data shared by peer-to-peer communications software planted on all systems infected by Conficker.C. As a result, ISS has been able to begin charting the location of infected systems across the globe.

According to ISS, only 6 percent of the known infections are located in North America, let alone the United States. In contrast, nearly 45 percent of infections are in Asia, while Europe accounts for 32 percent of infected systems. PCs in South America make up about 14 percent of the Conficker.C botnet, the researchers estimate.

Already in parts of the world, Conficker.C systems are polling a random 500 out of some 50,000 pseudo-random domain names in search of software updates or new instructions from the worm's author(s). Security Fix will have additional updates as more information becomes available as to what the Conficker botnet is doing.

The P2P communications method is a new feature not present in the first two versions of the Conficker worm, and it may serve as a backup mechanism by which the worm authors update infected systems, should the security community succeed in its efforts to prevent the registration of those 50,000 domains (the list of Web site names changes daily).

For the past several months, the so-called "Conficker Cabal" -- a group of security researchers, academics and policy makers -- have banded together to prevent infected systems from downloading additional components or instructions. So far, nobody has observed spam or any other typical cyber crime activity emanating from any Conficker-infected systems, and to date the hope has been that this is because the Cabal has succeeded in preventing Conficker A & B systems from not only downloading software updates, but also from updating themselves to the latest version of Conficker, which includes the P2P communications capability. Only machines infected with Conficker.C are in danger as part of the April 1 threat.

Holly Stewart, threat response manager for X-Force, ISS's research arm, said the company isn't ready to release estimates of the number of systems infected with Conficker.C because it is still gathering data on that front (researchers have estimated that at least 12 million PCs have been infected with the first two versions of the worm). But she said there are signs that at least some percentage of Conficker A & B systems were successfully updated to this latest version.

"Conficker A & B versions used any method they could to spread to as many machines as fast as possible, but we're not seeing much activity at all from those systems anymore" Stewart said. Conficker.C systems don't appear to be spreading either, Stewart said, but they are quite chatty with one another via the P2P mechanism.

"For now [the Conficker.C botnet] is just holding the fort and keeping the lines of communications open," Stewart said.

By Brian Krebs  |  March 31, 2009; 4:50 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Flaw in Conficker Worm May Aid Cleanup Effort
Next: Conficker Worm Strike Reports Start Rolling In

Comments

Typical Obama Administration neglect of cyber security........

Posted by: JaxMax | March 31, 2009 5:24 PM | Report abuse

DHS Releases Conficker Worm Detection
March 30, 2009 by ADMIN ยท
From DHS.com
Release Date: March 30, 2009
For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
The U.S. Department of Homeland Security (DHS) announced today the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker/Downadup computer worm.

http://information-security-resources.com/2009/03/30/dhs-releases-conficker-worm-detection/

Posted by: Absolute_0-K | March 31, 2009 5:38 PM | Report abuse

Could JaxMax elaborate on what he means by saying this is "typical Obama Administration neglect of cyber security." The article says nothing about the government's role, or non-role, in this business. So where is the link that JaxMax alleges? And even if there is a link between this worm and Obama administration security policy, how is this a "typical" case? JaxMax may be right, but he has to demonstrate what he means and back it up with some evidence. Or is this another "faith-based initiative" where evidence, analysis, and reality don't matter. I thought we left those days when we ousted the Bush people.

Posted by: orray | March 31, 2009 5:39 PM | Report abuse

Since Conficker was around before Obama was sworn in, W & Cheney must be the worm's authors... :P

Posted by: ohalvey | March 31, 2009 5:39 PM | Report abuse


Just like with other bugs, the damn Ruskies are promoting their youth to hack into anything in the West.


Posted by: mortified469 | March 31, 2009 5:52 PM | Report abuse

DUH - this was around pre-Obama. I do doubt if Bush authored it though since he didn't know the first thing about computers. ;-)

Posted by: seaduck2001 | March 31, 2009 6:05 PM | Report abuse

Bitdefender has a removal toolz.

Posted by: pca6661 | March 31, 2009 6:11 PM | Report abuse

please PC users, don't buy macs

they're horrible computers!

Posted by: lichtme | March 31, 2009 6:49 PM | Report abuse

Hey, in addition to what lichme wrote, let me add:
please PC users, do not employ Linux
it is a horrible operating system!
ha, ha!

Posted by: skata3 | March 31, 2009 7:13 PM | Report abuse

Posted by: orray | March 31, 2009 5:39 PM
"Could JaxMax elaborate on what he means by saying this is "typical Obama Administration neglect of cyber security." The article says nothing about the government's role, or non-role, in this business. So where is the link that JaxMax alleges?"
==
Orray, I'm going to say something very unladylike here because I've been reading comments on these boards for years.
JayMax is a typical neo-con supporter.
He views his role on these boards to be as nasty negative toward the current administration as he can, obviously in order to disparage at all times.
The truth is, JayMax couldn't find his butt in the bathroom with all the lights on and a flashlight in hand.
He has no credibility.
Ignore him.

Posted by: Judy-in-TX | March 31, 2009 7:25 PM | Report abuse

Linux is not affected by Conficker, thank god all our critical systems were not on Windows...and we got to enjoy the term unbreakable.....

Posted by: speterson3 | March 31, 2009 7:54 PM | Report abuse

Macs are too scary for dorks anyway. You guys are better off getting worms.

Posted by: nmoses | March 31, 2009 8:03 PM | Report abuse

Given that this worm existed pre-Obama and it's a certainty that Bush could not have authored anything beyond a kindergarten skill level, this may have been written by a disgruntled high school student looking to get even with the "failed educational system", or...

The point is that nobody knows anything yet, so finger pointing is a complete waste of time. In spite of the Republicans having made themselves such easy targets for suspicion; this worm is too complex, too subtle, and it's failure to instantly relieve you of your checking and savings accounts just demonstrates that it far too complicated to be a Republican plot. There is something more insideous at work here, and it goes far beyond our pitiful American political influences.

Posted by: Jammer2 | March 31, 2009 8:40 PM | Report abuse

Quick question for Brian: Do you check the legitimacy of websites posted by your guests? Perhaps I'm missing something, but Absolute_O-K posted a link that claims to be from a DHS site that scans for Conficker. Yet, it's a DHS.com site. Gov't sites typically end in .gov, at least for everyone except Joe Biden. (Cheap shot, sorry.)

Posted by: AnonymousEric | March 31, 2009 8:50 PM | Report abuse


@anonymous -- i think that poster was just confused. the link takes you to some news aggregator page, which links to a dhs.gov page.

Posted by: BTKrebs | March 31, 2009 9:08 PM | Report abuse

yep, this is obama's fault.
get real.

if this is obama's fault, 9/11/01 is bush's fault, as is the poor economy we have today.

i guess if we have bad weather within president obama's first 200 days, its his fault.
lol

sorry mccain/palin lost.
get over it.
please
lol

Posted by: kedavis | March 31, 2009 11:53 PM | Report abuse

Is this a typical political/geographical distribution for malware infection? One would think, for instance, that the extensive use of Firefox in Europe would cut down on infections. Are Americans finally getting wise about protecting our machines?
If so, Bravo!

Posted by: featheredge9 | April 1, 2009 1:18 AM | Report abuse

Once again the planet is crippled by software Bill Joy said should never have been allowed on the Internet. And you running Windows are creating distractions and disturbances even for us. There goes the neighbourhood. Again.

Posted by: Rixstep | April 1, 2009 1:24 AM | Report abuse

http://information-security-resources.com/2009/03/30/dhs-releases-conficker-worm-detection/

Error Establishing Database Connection Message appears for the captioned link.

Posted by: brucerealtor@gmail.com | April 1, 2009 2:38 AM | Report abuse

It is now April 1, 2009 ...

>>> O Conflicker, Where Art Thou Sting? <<<

Are you nothing more than the Y2K meme, appearing to the Fearful wearing a different mask?

Posted by: db16 | April 1, 2009 6:05 AM | Report abuse

This computer worm is all about the government's plot for "change." Change in this sense means dismantling the old systems, infecting and destroying them by vandalism if they must, and leaving individuals and small businesses incapacitated to respond. In this way everyone becomes dependent on big brother government. It's their way or the highway, got it? Time to start rationing your food supplies, folks.

Posted by: ttj1 | April 1, 2009 8:27 AM | Report abuse

People. Go to the official DHS web site:

http://www.dhs.gov/ynews/releases/pr_1238443907751.shtm

Lesson of the day: when in doubt about a web site, type in the URL on your own and investigate the legitimacy of the link or information.

Posted by: CB12 | April 1, 2009 10:19 AM | Report abuse

Screw Linux, screw Mac, what fun is it if an OS doesn't get virus?
Microsoft, please don't patch your stinky Swiss Cheese!!

Posted by: sayNo2MS | April 1, 2009 10:32 AM | Report abuse

Wow ttj1, that has to be one of the most paranoid posts I've ever seen. You'd better sign off the internet altogether, lest big brother see what you're up to.

While you're at it, grab your freeze-dried food and your guns and run to your cabin in the woods...armageddon is coming!!!
-----
Anyway, glad to see US consumers have at least begun to wise up to some threats. Unfortunately, I'd wager the only reason for this is because of the worm's publicity. Anything Brian normally keeps us up to date on will not get the type of coverage Conflicker has. Without that, the general public's machines will yet again go without their critical updates and the lesser viruses will proliferate as they always have.

Posted by: hokiealumnus | April 1, 2009 10:33 AM | Report abuse

Oh - and the two technicians I spoke with the first four hours said it was "impossible" for my computer to have been infected. After paying the $260 the next technician said it was impossible for it NOT to be a virus...LOL!

I run all updates the day they are released as well as OneCare...yet the technicians stated they know nothing about OneCare (They used to do the "Blame the other guy" when I ran Norton, so I switched to OneCare so they couldn't...yet they still do!).

Posted by: Sadler | April 1, 2009 11:54 AM | Report abuse

Looks like my first post was too long for automatic approval...so you are reading the second one (above) first!

Posted by: Sadler | April 1, 2009 12:01 PM | Report abuse

ttj1 posted on April 1 -- need I say more?

Posted by: jamshark70 | April 3, 2009 8:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company