Downadup/Conficker One Year Later

By admin | March 29, 2010 | Leave a Comment 

admin

This week is the one-year anniversary of the Downadup/Conficker threat’s April 1, 2009 “trigger” date. Although, Conficker did not turn into a widespread threat or cause the significant damage it had the potential to inflict, one year later, we know that those behind Downadup/Conficker still potentially have the keys to some 6.5 million of these computers. These computers have not been fixed by their owners, leaving them open to be victimized at any time by cybercriminals.

While 6.5 million infected computers remain wide open to further attack, they are monitored very closely by law enforcement and by members of the Conficker Working Group. Should the criminal(s) attempt to use them, the alarm will sound. For the criminals holding the keys, too much attention may be a turn off and it will likely prevent them from carrying out their original malicious plans.

So, are we out of the woods in terms of Downadup/Conficker?

Probably not. Downadup/Conficker may not be the biggest known botnet on the block, but it still has the potential to do serious harm. Industry groups and law enforcement are being vigilant but the 6.5 million infected PC are very much so like a loaded gun, waiting to go off.

Here’s what we know today:
• Approximately 6.5 million systems are still infected with either the .A or .B variants.
• The .C variant, which used a peer-2-peer method of propagating, has been slowly dying out over the past year. From a high of nearly 1.5 million infections in April of 2009, the infection rate has steadily decreased to between 210,000 to 220,000 infections. This indicates some computer users are fixing the issue and getting rid of the infection.
• Symantec also observed another variant, .E, released on April 8, 2009, but this variant deleted itself from infected systems on or after May 3, 2009.
• Thus far, the machines still infected with Downadup/Conficker have not been utilized for any significant criminal activity, but with an army of nearly 6.5 million computers strong, the threat remains a viable one.

Symantec has put together the following video highlighting the evolution of Downadup/Conficker to help give computer users background on the threat and information about where it is today:

Orla Cox, Security Operations Manager at Symantec Security Response

Conficker Continues To Spread

By admin | May 20, 2009 | 18 Comments 

admin
The spread of Conficker/Downadup since February

The spread of Conficker/Downadup since February

Well much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide. In fact the Symantec threat intelligence team estimate 50,000 PCs a day right are attacked. However just to clarify, this isn’t necessarily a cumulative total because it doesn’t take into account machines which don’t get cleaned up and get repeatedly infected.

This is a heat map of the spread of Conficker since February and as you can see the US, Brazil and India top the charts.

The Worm Turns?

By Guy Bunker | April 9, 2009 | Leave a Comment 

Guy Bunker

A new sample of Conficker (Downadup) has been found on one of our honeypot machines. (These are part of our Global Intelligence Network – which operates in 200 countries, gathering details and statistics on malware.) The new sample has reintroduced one of the exploit vectors (MS08-067) and also appears to be connected to another piece of malware (W32.Waledac) a very active spambot.

W32.Waledac steals sensitive information, turns computers into spam zombies, and establishes a back door remote access. Symantec products already provide antivirus and IPS protection for Waledac.

Perhaps most interestingly, there is also a ‘kill’ component – whereby it looks like the worm will remove itself from infected hosts on May 3rd 2009. Does this mean that there will be a new variant by then, or will its true purpose have been revealed by then?

April 1st… Meltdown or Joke?

By Guy Bunker | March 31, 2009 | Leave a Comment 

Guy Bunker

So, tomorrow is the big day – what will Conficker do? Will it be like Y2K where there was a thought that the Internet was going to melt down – but it ultimately turned into ‘just another day’… or will Conficker (aka Downadup and Kido) bring the Internet to a standstill. Of course the answer is that we will have to wait.

We do know that the latest incarnation Conficker-C will ‘change’ tomorrow, it will harden itself against security updates and OS patches and the number of servers it will reach out to will increase from hundreds to thousands, but as to what it will download… who knows. With millions of machines around the world infected it could be used for a massive denial of service attack, or perhaps a spam / phishing one.

You can protect yourself – a good anti-virus / Internet security suite will do the trick (I have Norton on my home machines and, of course we use Symantec on the corporate ones) , and if you are infected, then there is plenty of information as to how to remove it. Conficker has caught the imagination of the press and so there is a lot being written about it, however, there were more pieces of malware created in2008 than in all the preceding years put together… and Conficker is just one of them (well three, but it depends how you count!) Of course, compared to the average nasty, Conficker is smarter, it transforms itself and uses multiple routes to infect the unpatched, unsecured targets.

Sitting here in the UK, we have a small advantage, like with Y2K, we will see the effects in Australia and AsiaPac before it gets to us – and for them its now less than 2 hours to go…