Conficker.c infects small number of U.S. PCs, IBM says
Asia, Europe account for 76% of all Conficker.c infections, but worm's P2P chatter climbs as April 1 nears
Computerworld - Conficker.c may be in headlines around the world, but most of the infected PCs are in Asia and Europe, with fewer than 6% of the total in North America, a security company said today.
Using an analysis of the worm's peer-to-peer communications scheme, IBM Internet Security System's X-Force team figured out last week how to detect machines plagued with the newest variant of Conficker, then mined that data to put a face on its geographic distribution.
"A lot of people have been reporting on infections that they've seen, but we really hadn't seen who was infected now," said Holly Stewart, X-Force's threat response manager.
As of Monday, 45% of the Conficker.c-infected computers were traced to Asian IP addresses, while another 31% were pegged to European addresses. South America accounted for 14% of the total, and just 5.8% of the infected PCs were using IP addresses associated with North America, Stewart said.
The dominance of Asia on the roll call of infected regions isn't surprising. Last Friday, Nguyen Tu Quang, chief technology officer at Bach Khoa Internetwork Security (BKIS), which is housed at the Hanoi University of Technology, said that all fingers point to China. "It is almost certain that Conficker has Chinese origins," Nguyen said in an e-mail.
Conficker.c has received a massive amount of attention, especially in the last week, as tomorrow approaches. The third variant, which researchers first spotted earlier this month, will be able to switch to a new method of getting orders starting April 1.
Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from its controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the so-called Conficker Cabal -- officially known as the Conficker Working Group -- an ad hoc consortium of researchers and companies that have tried to disrupt the worm's "phone home" ability by registering as many of the daily domains as possible.
"Conficker.c makes it really hard for researchers to crack the communications code," Stewart said, referring to the worm's beefed-up peer-to-peer skills, which some believe were added as a fail-safe link to the headquarters of the hackers who created the worm if the domain routing system was compromised. Conficker.c has been using its peer-to-peer communication connection since it debuted.
"If you looked at the simple information on the wire, it might be mistaken for VPN traffic," Stewart added. "But our researchers cracked the way that they were using peer-to-peer." Using that information, X-Force has been able to sniff out Conficker.c-infected machines by detecting the worm's "fingerprint" in the traffic it monitors coming in to and going out of its customers' networks.
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- Security managers concerned but confident about Conficker on eve of expected attack
- IBM: Conficker.c infects small number in U.S.
- Security software scammers riding on Conficker's coattails
- Researchers exploit Conficker flaw to find infected PCs
- Conficker's next move a mystery to researchers
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Who does NSS Labs "Recommend" for NGFW? In 2012, NSS Labs found that most available NGFW solutions "fell short in performance and security effectiveness." In 2013 NSS Labs noted "marked...
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Improving Business Value of WAN Optimization Want to achieve faster ROI with WAN optimization? Read the latest IDC report and discover how you can cut IT costs without compromising...
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency... All Networking White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!