Network News

X My Profile
View More Activity

Group IDs hotbeds of Conficker worm outbreaks

Internet service providers in Russia and Ukraine are home to some of the highest concentrations of customers whose machines are infected with the Conficker worm, new data suggests.

The report comes from the Shadowserver Foundation, a nonprofit that tracks global botnet infections. Shadowserver tracks networks and nations most impacted by Conficker, a computer worm that has infected more than 7 million Microsoft Windows PCs since it first surfaced last November.

"Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now," Shadowserver stated on its Web site.

Shadowserver's numbers indicate that the largest numbers of Conficker-infested PCs are in the East, more specifically China, India and Vietnam. For example, Chinanet, among the nation's largest ISPs, has about 92 million routable Internet addresses, and roughly 950,000 -- or about 1 percent of those addresses -- appear to be sickened with Conficker.

Security Fix decided to use the group's data in a slightly different way, to showcase the concentration of Conficker victims as viewed against the total number of each ISP's customers. Viewed this way, Russian and Ukrainian ISPs have the highest concentration of customers with Conficker-infected systems (click the chart below for a larger version of the data, based on Shadowserver's own data).

confickinfect.JPG

Shadowserver is but one member of the larger Conficker Working Group, a collaborative effort comprising security experts, anti-virus and software vendors, infrastructure providers that sprang up shortly after it became clear that the worm was well on its way to becoming a massive weapon in the hands of its criminal creators.

Despite the group's best efforts, whoever is responsible for releasing Conficker remains at large. Compounding the cleanup effort is the fact that the worm really hasn't done anything overtly malicious other than spread quite virulently.

"Given any large number of infected systems, remediation becomes a very difficult task, and even harder to justify when the infection does nothing," Shadowserver said.

Shadowserver said its statistics were "not intended to shame, or embarrass any company or organization, but simply illustrate the depth and extent of how Conficker truly affects a worldwide scope of providers." Then again, shaming may be exactly what is needed for ISPs that are seeing anywhere from 10 percent to 27 percent of the customer base infected with Conficker.

Obviously, a big part of fixing a problem is knowing that you have one in the first place. To that end, Shadowserver offers all ISPs and Web hosting providers free daily feeds that can alert network providers to new bot infections on their networks.

By Brian Krebs  |  December 16, 2009; 8:00 AM ET
Categories:  From the Bunker  | Tags: conficker worm, shadowserver  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hackers target unpatched Adobe Reader, Acrobat flaw
Next: Twitter.com hijacked by 'Iranian cyber army'

Comments

I'm surprised at the claim about Vietnam. They were supposed to be working on their own Linux which would ultimately make them immune to such nonsense. Running Windows when you have a choice is bonkers.

Posted by: Rixstep | December 16, 2009 1:22 PM | Report abuse

I used to report sites infected with malware to ISPs. The response was discouraging to say the least, especially from US sites.
I'd be lucky just to get an automated acknowledgment of receipt. I got better response from Russian, German and Argentine ISPs in english!

I see Shadowserver 'collaborates with relevant law enforcement agencies'. They have a nice logo. I've noticed other organisations that 'work closely with the FBI'.
Do you get to wear a badge if you work for one of these organisations? Or wear a uniform?
I wasn't really aware that US law enforcement had jurisdiction in Ukraine, Russia, China, Romania etc.

It would be interesting if Shadowserver Foundation would give stats on their takedown/reporting ratio.
They did mention that a botnet operator was arrested in California back in 2005. Maybe if we could get all botnet operators to move to California we could make some progress.

Of course none of these groups 'report' to law enforcement until they have 'gathered' enough evidence. It appears our law enforcement needs to be force fed reams of evidence to tell that a government agency like the CDC for example is not located in Argentina or referenced by a domain name registered in Belgium.
How does my browser know so quickly?

I guess it is a good thing that the health industry doesn't deal with biological viruses the way governments deal with computer viruses.

Posted by: TheGeezer | December 16, 2009 11:41 PM | Report abuse

Thanks for this interesting article, Brian, and kudos to the ShadowServer Foundation for the work it is doing (when helping users of Windows OS choose an antivirus provider, I always keep in mind ShadowServer's virus stats) ! Computers running operating systems that are notoriously vulnerable to attack are the preferred hosts for malware (including, not least, spam) ; until the present market situation with respect to OS undergoes a significant change, I suspect we shall have to continue living with a malware situation that is anything but bright....

Henri

Posted by: mhenriday | December 17, 2009 11:31 AM | Report abuse

Then again, shaming may be exactly what is needed for ISPs that are seeing anywhere from 10 percent to 27 percent of the customer base infected with Conficker.

Obviously, a big part of fixing a problem is knowing that you have one in the first place. To that end, Shadowserver offers all ISPs and Web hosting providers free daily feeds that can alert network providers to new bot infections on their networks.
-------------------------------------
OK, let's see who shames who now.

Posted by: brucerealtor@gmail.com | December 18, 2009 1:56 AM | Report abuse

Under the category of wishful thinking "Maybe they will end up robbing each other blind."

Cybercrime Fighter
www.guidemarksecurity.com

Posted by: fchaffin | December 18, 2009 6:42 PM | Report abuse

I could be wrong but it seems like the majority of the countries affected by the Conflicker Worm are also those with the highest incidence of use regarding illegal copies of MS operating systems.

Posted by: Hoku1 | December 18, 2009 7:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company