Scammers are using Symantec's name as part of a ploy to lure those panicked by the Conficker worm into buying fake anti-virus. Meanwhile, vendors such as IBM are stating the number of infections may be higher than they thought.
Scammers are continuing their efforts to exploit public fears
over Conficker, this time with promises of protection via a product
made to look similar to Symantec's Norton Antivirus 2009.
Attackers have been
out e-mails that mention the names of Symantec executives talking
about the worm and linking to a Website that uses the name
"AntiVirus 2009." The Website also compares the software it is selling
to well-known products from companies such as Kaspersky Lab and AVG
The e-mails - which also include a "product activation code" -
feature phony messages such as this one: "???It???s definitely
serious,??? Kevin Haley, director of security response at Symantec,
said of the virus thought to be embedded in millions of network
computers across the globe."
"After clicking on the link inside the message, we find that it
redirects to a Website where the user is promptly given directions on
how to make a payment," blogged Mayur Kulkarni of Symantec Security
Response. "Whether or not any product will be made available after the
payment is made is still unknown at this point. Even if it were, its
effectiveness would be questionable because it will most likely be a
rogue application or pirated software."
More figures about the number of Conficker infections are leaking
out, though exact numbers remain elusive. Estimates from various
security pros have put the number of infections from around 1.3 million
to several million more.
Yesterday, IBM's Internet Security Systems (ISS) division reported
that it detected the worm on 4 percent of the IP addresses it
monitored. IBM officials, however, cautioned against applying those
numbers to the overall situation across the world.
"I want to list just a few more caveats so that everyone out there
can understand these numbers and interpret them in an appropriate way,"
blogged Holly Stewart, threat response manager for IBM's ISS
X-Force. "First, our count is based on distinct IP
address. Most personal computers these days use DHCP, which means
that their IP address can change every time they connect to a network."
"For this reason, some of the hosts are most certainly counted more
than one time in our numbers," Stewart explained. "On the other
hand, many infected computers may be behind NAT devices, and in
those cases multiple infected computers may only be counted a single
time in our numbers."
The presence of removal and detection tools
the efforts of the research community are believed to have impacted the
worm's growth. Users looking for tools to fight the worm are advised to
go directly to the vendor Websites or to known, trusted sources.