In association with heise online

07 July 2009, 11:27

Researchers thwart Conficker worm spread

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Conficker worm has not gone away and is on the rise again. Things may have quietened down on the Conficker front for a while, but, according to statistics from the Conficker Working Group (CWG), the number of infected systems increased from a little over four million (unique IPs) to more than five million in June. The most widely distributed 'A' variant is, however, rather picky – it declines to attack Windows systems located in the Ukraine.

To determine the location of a system it is thinking of attacking, Conficker attempts to query geographical IP-address databases, which allow it to work out roughly where an IP address is located. Specifically, Conficker.A accesses an IP-address database provided by MaxMind, who switched their server to a new address shortly after the worm appeared in order to stop further queries.

Felix Leder and Tillmann Werner from Bonn University have taken advantage of the fact that the worm continues to query the old hard-coded address in order to hinder its spread; they have developed their own database and are running it at the old address, which has been made available by MaxMind. The database returns the Ukraine as the location for all address queries with the result that queried systems are not attacked and thus not infected.

"We are currently observing millions of queries per day," reports Tillmann Werner, "How far the number of infections will be reduced remains to be seen. We have certainly made some small contribution to suppressing its spread." Indeed, since last weekend the number of infected systems has not just stagnated, it has actually fallen.

According to the researchers, it is important that infected systems are now disinfected so that the infection cannot flare up once more. To help with this process, they have released a number of programs available from Leder and Tillmann published an analysis of the worm and tools for detecting it earlier this year.

The H Security has a Conficker Information Site with online tests for Conficker infections and links to network scanners and tools to assist with the removal of Conficker from infected systems.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit