9.5 million PCs poised to strike

 

Gallery

By Stuart Turton

Posted on 20 Jan 2009 at 15:24

The Conficker worm has spread to almost ten million computers, though analysts are still scratching their heads as to its purpose.

Also knows as downadup and Kido, the worm has spread from 2.4 million machines last Thursday to around 9.5 million this week, according to figures from F-Secure.

The spread is particularly alarming given that the worm is manipulating a flaw in Windows Server that was patched by Microsoft back in October.

This means that the worm is being principally found on the networks of corporations that have not installed any of the recent Microsoft updates. From these networks, it is being transported to home machines using flash drives.

Intriguingly, researchers claim that despite the vast infection rates the worm appears to be dormant beyond establishing itself on the computer.

"This is fairly standard practice," says Kaspersky security analyst David Emm. "In order to gather productive information a botnet needs to be of sufficient size. The Storm worm established itself in a very similar way. Once it hits that size, the next step is to download the software to take over the machine, after that it could be used for spam or denial-of-service attacks."

Indeed, downloading this software is one of Conficker's more interesting tricks. Unlike other botnets, which contact a single domain to download their malicious software to the infected machine, Conficker connects to around 250 different domains.

"This makes it impossible and/or impractical for us good guys to shut them all down - most of them are never registered in the first place," says the F-Secure weblog

"However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website - and they then gain access to all of the infected machines. Pretty clever."