Security Bytes

Jan 27 2009   5:51PM GMT

Microsoft Conficker/Downadup infections still not a major threat

Robert Westervelt Robert Westervelt Profile: Robert Westervelt


I had an excellent briefing with the folks at TippingPoint about Conficker and they gave me access to their ThreatLinQ, a service that helps TippingPoint IPS customers proactively configure their systems. I’ll be writing about Conficker in a news story tomorrow. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and threats by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.

Security researcher Derek Brown of TippingPoint’s DVLabs, explained to me that while Conficker/Downadup has spread to an estimated 10 million machines, it reached its peak on Jan. 10. It’s an interesting worm because it can propagate either by exploiting the Microsoft RPC flaw, patched in October with MS08-067, or it can spread via USB sticks and other removable storage devices.

Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this.

Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat’s globally, according to the TippingPoint data. It’s well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots. Slammer ranks No. 1. Conficker was detected about a half a million times, according to the real-time data.

In China, where Symantec ranked Conficker infections the highest, Microsoft RPC attacks ranked ninth, according to the TippingPoint data. In the United States, attacks attempting to exploit the Microsoft flaw didn’t even rank in the top 10.

Conficker is also relatively easy to disinfect using any number of tools including Microsoft’s Malicious Software Removal Tool.

Conficker still fascinates security researchers. It’s got a built in password cracker. Once infecting a machine it seeks out other IP addresses to try to continue to spread. It can spread on shared drives. It also relays location information to the author.

Let me be clear: Derek Brown of TippingPoint’s DV Labs did not downplay the worm. The damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines we’ll begin to measure the extent of Conficker’s destruction.

4  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Why not recommend installing Linux as the operating system on everyone's computer. Ubuntu Intrepid Ibex is particular easy to install, installation takes less than 20 minutes, is free and cannot be infected by malware by design. Join the growing number of people who are sick of Windows' expensive travails, bugs omissions, slowness and sheer complexity of mainating. Try Ubuntu!
    0 pointsBadges:
  • Charles. Like any software Linux has vulnerabilities too. While it's less of a target to attackers, it isn't perfect and can be cracked.
    0 pointsBadges:
  • Gisabun999
    Interesting that the author(s) of the worm haven't really done anything with it. Meanwhile the security companies are finding ways to detect and clean it. [Almost like getting paid tax free now and getting billed for taxes later on.]
    10 pointsBadges:
  • SAPjava74
    Check out the Conficker deep dive analysis referenced in my blog [A href=""]The Conficker Analysis - are you ready for April 1?[/A]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: