In association with heise online

23 February 2009, 17:24

Conficker becomes a more flexible worm

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

It seems that the authors of the Conficker worm for Windows are continually updating their malware. In their current analyses, researchers at SRI International have found that the latest Conficker variants B and B++ are decidedly more flexible than their predecessors in downloading further components and new versions.

The first version of the worm used an easily predictable method for choosing contact domains. In response, Microsoft and ICANN tried to either gain control of these domains, or shut them down. The next version, B, used a different method to establish the domains for its contact attempts. It also did not have the "suicide switch" that was enabled in version A if the worm detected a Ukrainian keyboard layout.

The most recent variant of the malware, Conficker B++, can not only download DLLs, but also entire arbitrary programs; this extends the botnet operators' scope for further activity. In addition to the download feature, this version also contains a back door, which can be used to actively and remotely inject additional components, or new versions.

The researchers have now counted about 10 million IP addresses exhibiting Conficker activities. More than 6 million of these are infected with Conficker B. However, they do not reflect the actual number of infected systems; according to SRI International, this figure is likely to be smaller by one order of magnitude and probably ranges between one and a few million systems. Another interesting metric is the evaluation by country: China is at the top with about 2.7 million IPs, the UK has 98,719 infected addresses and Germany has 195,923 which is still slightly ahead of the US.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit