I had an excellent briefing with the folks at TippingPoint about Conficker and they gave me access to their ThreatLinQ, a service that helps TippingPoint IPS customers proactively configure their systems. I’ll be writing about Conficker in a news story tomorrow. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and threats by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.
Security researcher Derek Brown of TippingPoint’s DVLabs, explained to me that while Conficker/Downadup has spread to an estimated 10 million machines, it reached its peak on Jan. 10. It’s an interesting worm because it can propagate either by exploiting the Microsoft RPC flaw, patched in October with MS08-067, or it can spread via USB sticks and other removable storage devices.
Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this.
Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat’s globally, according to the TippingPoint data. It’s well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots. Slammer ranks No. 1. Conficker was detected about a half a million times, according to the real-time data.
In China, where Symantec ranked Conficker infections the highest, Microsoft RPC attacks ranked ninth, according to the TippingPoint data. In the United States, attacks attempting to exploit the Microsoft flaw didn’t even rank in the top 10.
Conficker is also relatively easy to disinfect using any number of tools including Microsoft’s Malicious Software Removal Tool.
Conficker still fascinates security researchers. It’s got a built in password cracker. Once infecting a machine it seeks out other IP addresses to try to continue to spread. It can spread on shared drives. It also relays location information to the author.
Let me be clear: Derek Brown of TippingPoint’s DV Labs did not downplay the worm. The damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines we’ll begin to measure the extent of Conficker’s destruction.