Conficker-infected machines now number 7 million, Shadowserver finds

By Robert Westervelt, News Editor 17 Dec 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

An organization that monitors the size and scope of botnet activity estimates that 7 million machines remain infected with the Conficker/Downadup worm, making up a zombie army awaiting orders from the cybercriminals behind the massive Conficker botnet.

Security experts say the good news is that the Conficker bots are still being closely monitored to detect any signs of activity. Despite the botnet's size, it would be difficult for anyone to use it to make money or break it up and rent portions out without being detected, said Mikko Hyppönen, chief research officer at F-Secure Corp. Hyppönen said those behind Conficker would be safer to abandon it altogether or risk being caught by law enforcement eager to follow a money trail.

"Conficker was unique in many ways and the biggest mystery around Conficker is why?" Hyppönen said. "The most logical explanation is that Conficker got too big and too noisy. It attracted too much attention."

The ShadowServer Foundation, which is monitoring Autonomous System Numbers -- IP addresses pooled by network operators -- listed the top 500 which contained IP addresses identified as Conficker infected machines. The largest number of Conficker infected PCs are in China and other Asian countries. Russian and Ukrainian domains also accounted for a large number of Conficker IP addresses followed by domains in Brazil and Romania -- locations where software piracy is very high and pirated Microsoft Windows systems fail to receive important security patches.

"There are over 12,000 ASN's that daily have Conficker IP's in their network space," Shadowserver said in its report. "Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now."

The organization participates in the Conficker Working Group, made up of security researchers, domain experts, registrars and ISPs to coordinate defenses against the worm and stop cybercriminals from sending any orders to infected machines. At its peak in January, Conficker was estimated to have infected some 10 million computers and security experts suggested it could be used in a massive denial-of-service (DoS) attack or simply be rented out to spammers and cybercriminals to spread more malware and harvest credit card information, bank account credentials and other sensitive data.

But Conficker may have been a victim of its own success, said Vincent Weafer, vice president of Symantec Security Response. In a recent interview, Weafer said the botnet may never be used.

"It spread far too quickly and that's not how any cybercriminal wants to conduct their activities," Weafer said. "They want to remain under the radar for as long as possible to make money without being detected."

Shadowserver said the goal of its Conficker report is to illustrate the extent of Conficker infections and how they affect ISPs. Security experts have grappled with the fact that they could identify and wipe clean unique IP addresses with infected computers, but legal ramifications and privacy issues prevent the activity.

"We would most definitely be sued if we did that," Hyppönen said.

Meanwhile, investigators are trying to track down those responsible for Conficker/Downadup. Most security experts agree that the cybercriminals may never be found. The fact that the botnet has remained unused leaves few clues. There is no money trail that law enforcement can trace back to the authors.

Tags: Endpoint and NAC Protection,  Network Security Monitoring: Tools and Systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Network Security Monitoring: Tools and Systems Scapy tutorial: How to use Scapy to test Snort rules How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse SIEM systems streamline compliance processes, offer security benefits How to set your baseline with host integrity monitoring software Thin-client technologies surge thanks to easier security, says Deloitte Network discovery and the Simple Network Management Protocol Finding the best log management product for your organisation How to maintain network control plane security A guide to internal and external network security auditing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary