Share
Conficker is growing. The number of reported infections is now more than eight million. F-Secure, the security company that made claims (similar to McDonalds) that millions and millions have been served, has taken some heat by announcing the seriously high volume of infections. Over the weekend it posted a blog entry explaining how it had reached these numbers.
Conficker: How the count of over eight million infections came to be
Finland-based F-Secure has been tracking the various versions of Conficker over the past week, focusing in on one particular version it believes to be the most common. And, after digesting how it worked, the company has come up with a plan to guess how many systems worldwide are infected.
"There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common," F-Secure explained.
"It creates 250 possible domains each day," it added. "We've registered some selected domains out of this pool and are monitoring the connections being made to them."
By sifting through the logs from the connections to the registered domains, F-Secure is tracking GET section of the headers it has recorded. The GET section has a unique string, which is generated by Conficker. The string, known as "/search/q=NUMBER" is incremental.
"It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067," outlined F-Secure. "The incrementation is done in the HTTPD thread of the Malware, after it has exploited a machine successfully. So this number tells us how many other computers this machine has exploited since it was last restarted."
So, with that method, as of Friday there were 8,976,038 infected systems. The largest infection count was just over 20,000 for a single IP.
"Do bear in mind that this number only shows how many machines got infected via the MS08-067 exploit. Downadup spreads at least as much via network shares and USB sticks," added the company.
"We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative."
However, as mentioned in previous articles, Conficker is mostly spreading to other systems. There has been no botnet activity tied to the Worm. Likewise, there has been no massive Malware infection associated with it, such as using Conficker to deliver a massive payload designed to exploit systems running a certain service or application.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story