RealTime IT News

Conficker: Millions Hit, 300,000 Domains Blocked

Conficker AKA Downadup AKA April Fool's Worm
With just hours to go before the widespread Conficker worm is expected to activate, researchers say they're relying on new efforts to help mitigate the risk and detect the worm itself.

And not a moment too soon. The worm, which is also known as Downadup, Kido, Confick and the April Fool's Day worm, is creating a vast botnet with an as-yet-unknown purpose. One of the few facts researchers know about the worm is that it's designed to begin seeking out new orders from its creators on April 1.

Technology vendors are actively doing what they can to ensure that the worm is detected and blocked -- a massive undertaking that's yielded some staggering statistics as the industry locks down botnet-controlled domains and hunts infected PCs.

"We have blocked over 300,000 names so far in the domains that we support," Heather Read, senior director for communications at top-level domain (TLD) operator Afilias, told InternetNews.com. "We expect that, over the course of the year, this number will be significantly more, likely in excess of one million names."

Afilias is a member of the Conficker Working Group, which brings together TLD (top level domain) operators, industry leaders like Microsoft and ICANN, and security researchers.

Involving members of the domain community like Afilias, which currently supports 15 TLDs including.org, could be critical to helping stop the spread of Conficker. The latest variants of the worm use randomly registered domains as part of its command-and-control network.

"The belief is that if we prevent the registration of these domains, we will deprive Conficker's creators with Internet resources that they could potentially use to control and update the botnet," Read said.

How many infections?

Aside from its domain-based command-and-control network, Conficker at its most basic level is a Windows PC-based worm that affects consumer desktops. And given the massive rate of Conficker-controlled domains, it's no surprise that plenty of systems have been hijacked.

According to Jeffrey Shipley, manager of intelligence collection and analysis at Cisco Security Research and Operations, Conficker's infection rates are relatively low in the U.S., while higher in other areas.

Shipley told InternetNews.com that the Conficker.C worm has infected about 10 million Windows-based computers in 150 countries, with China's level of infection estimated at 3 million, Brazil at 1 million and Russia at 800,000. In the United States, researchers suspect about 200,000 computers have been infected.

"While most enterprise customers have seen low infection levels, certain customers have seen more significant issues," Shipley said. "In particular, environments with loosely managed computers have been hard hit. Examples include hospital environments in which computers are unpatched for extended periods, and technologies such as IPS and CSA [Cisco Security Agent, an endpoint security and antivirus solution] may not have been deployed."

Scanning for Conficker

Like the worm itself, identifying Conficker is an evolving task, researchers say. For the most part, until today, Conficker infections have been detected by local users who update their PCs and run antivirus software.

As of today, however, researchers have developed new remote scanning technologies that can identify if Conficker is running on a particular network. Nessus, nmap, McAfee and Qualys are among the vendors deploying the technology, thanks in part to an effort led by the Honeynet Project, a nonprofit security research effort.

Page 2: What happens on April 1?