From the ‘aren’t we done yet with Conficker?‘ files:
Yesterday I wrote about the latest variant of Conficker . Additional details on the new variant have emerged that indicate that the worm is now using its infected hosts to send spam email.
The new Conficker worm (also known as Kido) downloaded scareware – a fake antivirus application offer on infected users’ PCs. It also downloaded the Waledac spam worm also known as Email-Worm.Win32.Iksmas.atz.
“Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages,” Aleks Gostev, head of Kaspersky Lab’s Global Research and Analysis Team, said in a statement.
Gostev noted that Kaspersky detected over 40,000 domains being used as part of the spam attack with most of the sites located in China.
“A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours,” Gostev commented. “Assuming that there are 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-hour period!”
That sure is a lot of spam. In my opinion, there are a few assumptions in Gostev’s analysis of the total spam volume. It assumes that the bot wouldn’t be detected or blocked over the course of the 24 hour period. That’s the trouble with bots, dormant they can be difficult to detect. But once they start doing stuff, it’s not that hard to see the anomalous activity.