F-Secure now claims nine million Conficker infections
F-Secure now claims that nine million Windows PCs are infected with the Conficker worm. In response to those who doubt its high figures, F-Secure has revealed its counting method in its blog. This says F-Secure has been tracking a variant of the worm, has registered some of the 250 domains it creates each day, and is logging the connections made to them in order to note all the unique IP addresses.
F-Secure further says that, when contacting its domains, the worm states the number of other systems successfully infected by it so far, in the HTTP header (e.g. "GET /search?q=29 HTTP/1.0"). Parsing the logs to extract the highest "q" value for each IP/User-Agent pair, then adding them, F-Secure again comes to what it calls a “very conservative” estimate of around nine million PCs (as at Friday, 16 January). Several hundred thousand are apparently being added every day.
No one knows exactly how many computers have now actually been infected. Another thing that's hard to explain is why the Conficker worm should be so successful. After all, a patch to plug the hole, through which it penetrates Windows, was issued some three months ago.
It doesn't just spread via an old Windows vulnerability, however, but also via network shares. Clearly it’s exploiting administrator accounts that are "protected" with weak passwords. It also infects USB sticks. When an infected stick is plugged into the computer, the computer does ask what action is desired, rather than immediately running the worm. However, as the Internet Storm Center says, the worm can induce a user to click on the Start option by using fake icons.
The anti-bot service provider Damballa has told British media it has only observed around 500,000 IP addresses. Given this figure it would mean that on average there would have to be 18 further PCs behind each address, hidden by a NAT router, to result in a total of 9 million infections. This number is considered unlikely. SecureWorks also thinks the number is doubtful, because the possibility can't be excluded that infected PCs were counted more than once. In the case of DSL connections, an infected PC may appear under more than one address during a given period. So far, Conficker is supposed to have mainly infected company networks from within, perhaps from infected laptops.
- Report: 2.5 million PCs infected with Conficker worm, report by heise online
- Conficker in Carinthia: first the state government, now the hospitals, report by heise online
- Microsoft: Customers play "Russian roulette" with their systems, report by heise online
- Windows worm infection accelerates, report by heise online
- Microsoft patches critical hole in its RPC service, report by heise online