Conficker Infections Reach 7 Million

The notorious Conficker worm is still active and continues to claim millions of victims, but has also succeeded in uniting the security community against it.

The Conficker worm struck Windows computers a year ago now, but after the over hyped 1 April 1 deadline passed quietly, interest in the general public started to dwindle, and the malware for some became just another entry on an ever-growing list of cyber-threats.

The worm itself however did not disappear. Today, roughly a year after its appearance, Conficker is still resting on millions of systems around the world. From its innovation to its persistence, Conficker has emerged as a stark example of the dangers of malware, poor patching practices and what the security community can accomplish by working together.

“This certainly is one of the most sophisticated pieces of malware that we’ve ever seen, and that’s why the security industry continues to be interested in it in spite of the fact that not a lot has happened over the course of the past year,” said Tom Cross, manager of IBM X-Force Advanced Research. “Lots of people have said this is not interesting anymore and stopped paying attention, but those of us who are responsible for this stuff [are] still watching.”

Those watching remember that the worm first crept into the public consciousness in November 2008, when Microsoft reported the worm was targeting a vulnerability in their Server service. Microsoft had already issued a rare out-of-band patch for the flaw the previous month in light of limited attacks against it by malware such as the Gimmiv Trojan. Just before the start of the year, Microsoft officials once again advised organisations to apply the patch.

By then, Conficker B was out. The malware authors would go on to update the worm multiple times, with each version providing a new twist on its functionality. Just how many machines are infected with the worm is unknown.

According to the Conficker Working Group, as of 28 October, 2009, there were more than 7 million unique IPs infected with Conficker variants A, B and C connecting to the group’s tracking systems. Many of the new infections are happening outside the United States in countries like Brazil.

That there could be so many machines still infected with the worm doesn’t surprise Eric Sites, a member of the Conficker Working Group and CTO of Sunbelt Software.

“Given the level of the attack and the reinfection rates we’ve seen, this is not surprising,” he said. “Above all, it’s a reminder of how few people actually patch their systems on a regular basis. Despite the fact that Microsoft came out with a patch in October 2008, before Conficker took hold, the numbers of infected skyrocketed and continue to be very high.”

Patching systems and applications is often cited as a common cause for hacks and security breaches. But also problematic is the fact that the worm spread in a number of ways (the Microsoft vulnerability, USB devices and unprotected file shares are all attack vectors depending on the variant.)