Posted by: Robert Westervelt
Kaspersky Lab researchers found a small number of unique IP addresses on the peer-to-peer network, suggesting the worm isn’t as large as previously thought.
It seems that Conficker/Downadup isn’t all that it was cracked up to be. Dennis Fisher of Kaspersky Lab’s Threatpost.com confirms what some have been suspecting all along: The Conficker botnet is much smaller than security researchers originally believed. An analysis by Kaspersky Lab researchers found “200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker,” according to Fisher’s post.
In a blog post, Kaspersky Lab virus analyst Georg Wicherski wrote that “only a fraction of the nodes infected with earlier variants have been updated with new variants.” Wicherski used a custom application to monitor the network. He noted in his post that Brazil and Chile stand out in terms of having the most numbers of P2P nodes.
Back in January I wrote about my access to TippingPoint’s ThreatLinQ service. ThreatLinQ can be accessed by TippingPoint IPS customers. The ThreatLinQ data I saw suggested to me the threat wasn’t a major one. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.
The time period I had a view of the global Conficker data was Jan. 26/27. This was a time period when most security researchers said Conficker infections had peaked and some, including researchers at F-Secure, noted the botnet could be as large as 10 million machines.
At the time, the TippingPoint IPS honeypots found ranked attempts to attack the Microsoft RPC vulnerability at No. 5 of all threat’s globally. It wasn’t even close. Attempted attacks were in the hundreds of thousands versus the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots.
I noted that Brazil, Chile and some countries in Asia and Eastern Europe seemed to have the most Conficker infections. They were in countries where software pirating is rampant and machines are not likely to get the MS08-067 RPC patch.
Conficker may have been a worm that fascinated researchers because it spread so quickly, but once the spotlight was shined on it, it sputtered out. Why? The Conficker Working Group appeared to have a good handle on this one and perhaps their efforts to disrupt the worm from receiving its orders worked. Researchers told me the P2P method of receiving its orders is just too slow for Conficker to be a major threat.