By Nguyen Tu Quang / Senior Malware Researcher – CEO, Bkis
According to Bkis’ survey, many computer users believe that May 3 will be the final part of Conficker story. This way of thinking drives their attention away from the potential threat which is still out there. There are still nearly one million computers infected with Conficker worldwide, even after May 3. That is an undeniable fact.
On April 26, statistics were made by our researchers, using the same method we had used on April 1 (/?p=473). We registered some domain names among those 50,000 Conficker would call on April 26. (It is important to note that Conficker.C have been looking non-stop for updates via HTTP since April 1). (/?p=391)
The result was that 750,000 computers worldwide are still harboring Conficker.C and the botnet of 750,000 zombies would not stop calling home for instructions, even after May 3 (as users may believe that May 3 will be the final part of Conficker story).
The above analysis proves the fact that Conficker threat is still out there.
Conficker Statistic on April 26
Conficker Cabal (Working Group) are wasting their time and effort?
Bkis Radar System(*), which has been functioning since April 1, found out that till today, Conficker Working Group has been trying everyday to register the domain names among 50,000 that Conficker can call. For instance, today April 28 the domain names registered by Conficker Working Group are .ae, .am, .as, .be, .ca, .cl, .co.il, .co.nz, .co.uk … However, they cannot control all 50,000 domain names each day. Hacker can register any domain not controlled by Conficker Working Group to send new instructions to the bots. The proof was that we could easily register some domain names in the calling list of Conficker on April 26 in order to count the number of Conficker zombies worldwide.
This forced us to think that Conficker Working Group are wasting their time and effort with what they are doing. It would be more advisable to send out alerts to nations with highest infection rates so that computer users in those countries see the need to keep their system clean of the worm. Almost all antivirus softwares now have updated new Conficker variants’ signatures and removal tools. Some countries with highest infection rates according to our statistics on April 26 are China, Russia and Brazil.
(*) How Bkis Radar works?
We have developed a tool that simulates Conficker call-home module. Bkis Radar generates 50,000 domain names each day and queries those domains; the same way as what Conficker does. We thus will be notified whenever the domain is activated or the websites’ contents pointed to by those domain names are modified. Consequently, we know when Conficker spread via HTTP and we can make a list of domain names that Conficker Working Group have registered.