Internet Security Systems - AlertCon(TM)

Who is watching your Conficker?

Posted by Holly Stewart on March 30, 2009 at 9:31 PM EDT.

 

We are.

With the release of Conficker.C came significant changes in the way the malware behaves.  No longer does it appear to be focused on the aggressive propagation vectors of the past... no, it seems more interested in sitting and waiting... holding down the fort and keeping a communication path alive with all of its peers.  It's this last behavioral change that one of our researchers, Mark Yason, keyed into and found a little niche that helps us detect this bugger on the network.  He basically reverse-engineered the communications mechanisms that were specifically designed to frustrate security analysts and evade detection.  After Conficker.C came out, the malware had seemed to go a bit quiet on us–it didn’t appear to be using the noisy propagation methods like MS08-067 and brute-force login attacks that had been easy to pick on the network.  Luckily, after a few sleepless nights, Mark found some nuggets that we’ve been able to use to detect this new version on the network. 

We deployed the update late last week to our customers including our Managed Security Services (MSS) customers.  All throughout the weekend, we have been watching the signatures light up across the world on our MSS network, server, and desktop sensors.  The vast majority of these bots aren't inside our customer networks... but they are on the outside trying to get in (or get anywhere, somewhat randomly).  This view gives us a new perspective, a real-time perspective into the growth and changes in the botnet worldwide.  This chatter does not reflect infections that have been detected and since removed... these are live infections that are active today.  The view is also unclouded by things that might block the results of something like a network scan, for example... no firewall rules, no network configurations, no user permissions... it's an open lens to this global problem.

So, what does it look like?  Well, the details are still unfolding, but we can tell you from a high level where most infections are as of today.  Asia tops the charts so far.  By this morning, it represented nearly 45% of all of the infections from our view.  Europe was second at 31%.  The rest of the geographies held a much smaller percentage overall.  The following chart shows how the distribution looked in total today:

Nearly all of the numbers here are from IPs that are external to our customers. However, MSS has been able to spot a number of internal infections and have been helping customers by identifying the offending IPs involved.

If you’d like more information on what we’re doing to protect customers, we’ve put some of the details from Mark’s analysis and our protection signatures in our alert.  For some straightforward information about how to protect yourself against infection, please peruse the blog post Tom Cross did some time ago.  As always, we’re continually watching and waiting… we will see if April 1 will truly bring any surprises.  As significant changes emerge, we’ll always try to keep you updated here.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.