Conficker.c infects small number of U.S. PCs, IBM says

Asia, Europe account for 76% of all Conficker.c infections, but worm's P2P chatter climbs as April 1 nears

Conficker.c may be in headlines around the world, but most of the infected PCs are in Asia and Europe, with fewer than 6% of the total found in North America, a security company said Tuesday.

Using an analysis of the worm's peer-to-peer communications scheme, IBM Internet Security System's X-Force team figured out last week how to detect machines plagued with the newest variant of Conficker, then mined that data to put a face on its geographic distribution.

"A lot of people have been reporting on infections that they've seen, but we really hadn't seen who was infected now," said Holly Stewart, X-Force's threat response manager.

As of Monday, 45% of the Conficker.c-infected computers were traced to Asian IP addresses, while another 31% were pegged to European addresses. South American accounted for 14% of the total, and just 5.8% of the infected PCs were using IP addresses associated with North America, Stewart said.

The dominance of Asia on the roll call of infected regions isn't surprising. Last Friday, Nguyen Tu Quang, the chief technology officer at Bach Khoa Internetwork Security (Bkis), which is housed at the Hanoi University of Technology, said that all fingers point to China. "It is almost certain that Conficker has Chinese origins," Nguyen said in an e-mail.

Conficker.c has received a massive amount of attention, especially in the last week, as tomorrow approaches. The third variant, which researchers first spotted earlier this month, will be able to switch to a new methodof getting orders starting April 1.

Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from its controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the so-called Conficker Cabal -- officially known as the Conficker Working Group -- an ad hoc consortium of researchers and companies that have tried to disrupt the worm's "phone home" ability by registering as many of the daily domains as possible.

"Conficker.c makes it really hard for researchers to crack the communications code," Stewart said, referring to the worm's beefed-up peer-to-peer skills, which some believe were added as a fail-safe link to Hacker HQ if the domain routing system was compromised. Conficker.c has been using its peer-to-peer communication connection since it debuted.

"If you looked at the simple information on the wire, it might be mistaken for VPN traffic," Stewart added. "But our researchers cracked the way that they were using peer-to-peer." Using that information, X-Force has been able to sniff out Conficker.c-infected machines by detecting the worm's "fingerprint" in the traffic it monitors coming in to and going out of its customers' networks.

The vast bulk of the traffic identified as Conficker.c's peer-to-peer transmissions came from outside X-Force's clients' networks, she said. "We did find a few infected systems, and let those customers know about them, but it was a really small percentage of the chatter we're picking up, less than .00025%," Stewart said.

Also notable, she added, was that Conficker's peer-to-peer traffic is on the upswing. "It's up 20% from yesterday to today," Stewart said this morning.

But estimating the number of Conficker.c-infected PCs using the detection technique is impossible, she acknowledged, and pegging the percentage of machines infected by earlier variants, Conficker.b in particular, that have been updated to Conficker.c would be difficult.

X-Force's detection method is the second made public in the last two days. Yesterday, a trio of experts -- German researchers Tillmann Werner and Felix Leder, and American researcher Dan Kaminsky -- created a scanner that located infected PCs using a flaw in the worm. Werner and Leder published a 23-page paper, Know Your Enemy: Containing Conficker, late Monday that details their findings (download PDF).

Stewart said X-Force's approach was "completely passive" and didn't require running a scanner. It was not, however, released to the public, but instead was integrated within the IBM Internet Security System's intrusion prevention appliances.

Even so, Stewart promised to keep everyone in the loop. "Because we're able to detect this [Conficker.c] traffic on the wire, we'll certainly keep the public and our customers informed," she promised. "The next 24 hours should be interesting."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags IBMconficker

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?