F-secure Now Claims Nine Million Conficker Infections

Recommended Posts

F-Secure now claims nine million Conficker infections

Jan 19, 2009

F-Secure now claims that nine million Windows PCs are infected with the Conficker worm. In response to those who doubt its high figures, F-Secure has revealed its counting method in its blog. This says F-Secure has been tracking a variant of the worm, has registered some of the 250 domains it creates each day, and is logging the connections made to them in order to note all the unique IP addresses.

F-Secure further says that, when contacting its domains, the worm states the number of other systems successfully infected by it so far, in the HTTP header (e.g. "GET /search?q=29 HTTP/1.0"). Parsing the logs to extract the highest "q" value for each IP/User-Agent pair, then adding them, F-Secure again comes to what it calls a “very conservative†estimate of around nine million PCs (as at Friday, 16 January). Several hundred thousand are apparently being added every day.

No one knows exactly how many computers have now actually been infected. Another thing that's hard to explain is why the Conficker worm should be so successful. After all, a patch to plug the hole, through which it penetrates Windows, was issued some three months ago.

It doesn't just spread via an old Windows vulnerability, however, but also via network shares. Clearly it’s exploiting administrator accounts that are "protected" with weak passwords. It also infects USB sticks. When an infected stick is plugged into the computer, the computer does ask what action is desired, rather than immediately running the worm. However, as the Internet Storm Center says, the worm can induce a user to click on the Start option by using fake icons.

Heise security - full story: http://www.heise-online.co.uk/security/F-S...s--/news/112441

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.