Where Art Thou Conficker?

By Matthew Hines  |  Posted 2010-01-27 Print this article Print

Sometimes it's hard not to miss our old friends, even when they're something of a gigantic pain, right?

At least that's how I hope my friends feel.

Researchers noted this week that the buzzworthy Trojan.Hydraq campaign that was used to hack Google and some other tech giants employed some of the same techniques used by our dear old pal Conficker to remain resident on infected PCs.

Which causes one to ponder, what happened to this attack which a year ago captured the interest of so many people for some particular reason?

Conficker/w32.Downadup was one of those rare threats that for some reason (other than being used to exploit high-profile companies in such a high-profile manner, as with Hydraq/Operation Aurora) crossed over to the mainstream and touched off a considerable wave of interest in malware and cyber-security.

Well, thanks to researchers at TrendLabs we have some idea of where the persistent bugger now resides.

For the record, the Conficker Working Group which lured some of the IT/security industry's giants to band together to thwart the attack remains active, reports TrendLabs Technical Communications specialist Ria Rivera in a recent blog post.

And lest you should think that Conficker simply disappeared, new variants including the Worm.Downad.KK are still in circulation and actually stand as an upgrade to the original, Rivera noted. Among the "improvements" made to the attack is expansion work done to increase the number of new domains it can consume.

While in general the Conficker front has become fairly quiet, according to the expert, this new version has increased the number of domains it can generate from 250 to roughly 50,000. And according to the Working Group's estimates, there has been an average of more than 100 million unique IP addresses connecting to its Conficker tracking systems in the first week of 2010 alone.

Another CWG participant, Akamai contends that "there continues to be significant port 445 activity," indicating how active the threat and its variants remain. Much of the activity is now originating from Russia and Brazil, replacing China and the United States as the top sources of traffic, Rivera said.

Time honored anti-Conficker tactics such as patching systems and disabling

Windows' Autorun capabilities remain the best bet for protecting yourself against the old friend.

And based on what we're hearing now, we might soon be talking more about Conficker again.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel