Internet Security Systems - AlertCon(TM)

April Fools in July?

Posted by Holly Stewart on April 01, 2009 at 11:35 AM EDT.

Sorry, it's a silly reference to that all to familiar sales pitch "IT'S CHRISTMAS IN JULY!!!"  April Fools does certainly seem to have been a joke on us.  We knew it might happen... but we had to be on alert anyway.  Hey, that's why we're here, right?  I guess the point is that even though nothing happened today, I think, at least, that something is going to happen eventually.

So, we're still watching and waiting.  As I've mentioned to many others publicly and privately, I still don't think this Conficker thing is a joke.  Through the research we've done and the research of others, it's obvious that the development of Conficker has cost someone a lot of money.  The advanced technology and sophisticated obfuscation that we've witnessed is fairly unprecedented.  It would really, really surprise me if no one decides to cash in on that hefty investment.  So, something *will* happen.  It's just a matter of when.  A lot of folks have speculated on how these bots could be used—cyberwarefare, system hijacking, launching nuclear weapons, and the list of scary possibilities goes on and on.

When we released the X-Force Trend and Risk report earlier this year, we spent a good deal of time talking about the economics of cybercriminals, and I do believe that we should take this into consideration here.  sure, there are a million things that could be done with these bots, and sure, they probably want to sell the capabilities off to the highest bidder, but we should keep in mind what these folks are good at—what are their core competencies.  It's not crashing airplanes or temporarily taking down someone's networking capabilities.  Some of these things are more feasible than others, but, let's face it.  These folks are really good at sending spam and stealing login credentials.  They have automated tools and processes that completely support those business models.

So, are they going to launch nuclear weapons or change the position of satellites or hold the world hostage?  It's unlikely. Only time will tell.

Ok, on to the statistics for today.  I want to first explain that we are seeing many new IPs each day, about a 20% increase day over day.  However, it doesn't mean that Conficker.C is spreading.  Most of us know that Conficker.C doesn't have propagation capabilities.  We're simply detecting more IPs on the wire every hour, meaning that infected hosts are either getting turned on for the first time or sending their peer-to-peer traffic through the ISPs on the networks we're monitoring.  After a few more days, I think we'll have a better feel for the overall infections that we've been able to spot throughout our global sensor network that our Managed Security Services group monitors.  Here's how the regional statistics look after yesterday's feed of new hosts:

 

We also have a country breakdown today, and here are countries with the most infected hosts:

So far this morning, we've not seen any indication that the agents are changing significantly, nor have we seen the number of hosts decline, which could also indicate changes in the agents or new attempts at obfuscation (hiding from IDS/IPS).

As always, we'll keep posting updates with new information here.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.