14 January 2009, 11:40

Report: 2.5 million PCs infected with Conficker worm

According to F-Secure, there are already almost 2.5 million PCs infected with the Conficker worm, also known as Downadup. Since the worm has the ability to download new versions of itself, it is expected that the infection could spread much further. The new code is downloaded from domain names generated with a complex algorithm, making it hard to predict what domains will be used to spread the worms updates.

F-Secure has managed to predicted some of the new domains and registered them itself. This has allowed them to analyse the connections that the worm is making. While this puts them in a position to attempt to remotely disinfect Conficker on mass, for legal reasons the company has decided not to do so. However, the information gathered from their registered domains has allowed them to estimate the size of the worm infection.

Many of the calls to the domains are from infected machines within corporate networks, through firewalls or NAT implementations, which means that although F-Secure may only see one IP address, there could be thousands of machines behind that address that are infected with Conficker. Allowing for that and using "some additional tricks", the F-Secure team have estimated that there are 2,395,963 infections worldwide, and call this figure a conservative estimate.

There are three variants of Conficker out there. The A version exploits an RPC vulnerability in Windows. The B and C versions do that too, but also attempt to find weak administrator passwords using a built in list of passwords. This means that not only should administrators install Microsoft's security updates, but also ensure that they are using strong passwords.

Tuesday's Microsoft Patch included updates to the Malicious Software Removal Tool which is able to recognised and eliminate the worm.

See also: