BannerPortlet

Blogs

By Nguyen Tu Quang - Senior Malware Researcher/CEO of Bkis

April 08, our Honeypot system collected some updates from goodnewsdigital(dot)com, which was claimed by TrendMicro to be connected to by the new variant of Conficker (http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix).

However we have analyzed all the malicious code collected from this source, including news.exe, main.exe, f*ck.exe, f*ck2.exe, f*ck3.exe, f*ck4.exe and contact.exe… and the analyzing result shows that all these patterns are Waledac Worm (also known as XmasStorm Worm – http://www.pcworld.com/businesscenter/article/156043/bogus_greetings_spread_ holiday_malware.html ).

We have also checked Bkis Conficker HTTP Honeypot and Bkis Conficker P2P Honeypot systems and have not found any worm update. Moreover, according to the Honeypot systems statistics, there are still 1.3 million computers infected with Conficker.C all over the world at the moment, the same as the amount we counted on April 1 (/?p=473). In other words, the number of computers infected by Conficker.C still remains the same and they haven’t been updated with a new variant.

For these reasons, we affirm that there hasn’t been any P2P update of Conficker yet.

We will continue to track and update information when there are new happenings.

About Bkis

Bkis is known as Vietnamese Anti-virus company with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.

1.3 million Confickers.C infected computers worldwide: How the statistics was made? (April 3)

In the April 1 entry (/?p=441), Bkis announced that there are now only 1.3 million Conficker.C infected machines worldwide. This number was recorded by our malware trap – Bkis Honeypot System. How could such an exact number be figured out? Let’s have a look at the working principle of the system:

In order to build this system, we bought 6 out of 50,000 domain names that the worm would query on April 1. Six respective servers were then set up to point these domain names to those servers. Consequently, starting from April 1, when Conficker infected computers began “calling home” to 50,000 domain names, they would also make queries to our servers.

We developed a special software on the servers of Honeypot System to log every worm’s query. These logs would then be analyzed by our another software for final statistics.

As we all know, on April 1, each Conficker infected machine would call home to the 50,000 generated domain names including the six domain names pointed to our servers. Thus, we were able to record the number of infected computers querying our servers.

One question to be considered: whether the number of queries to Bkis Honeypot System is equivalent to the number of Conficker infected computers worldwide or not?

On April 1, each Conficker infected machine is programmed to query only 500 out of 50,000 domain names. In other words, only 1 percent of all the domain names (500 in 50,000) would receive the requests from that computer.

Consequently, the number of queries to Bkis Honeypot only accounts for 1 percent of all the queries made by infected computers in the world. On April 1, Bkis Honeypot recorded 13,841 queries from infected computers worldwide, which means the total number of Conficker infected computers globally must be 1,384,100 (equals 13,841 x 100). And this is a precise number.

Details of Bkis Honeypot diagrams:

(1): Infected computers worldwide calling home to 50,000 domain names on the Internet

(2): Bkis Honeypot Sensor – Six server system was set up to trap “calling home” worms

(3): Worm’s query logs

(4): Bkis Honeypot Analyzer – Logs analyzing system for statistics

(5): The precise number of Conficker infected computers worldwide and the respective rate of each country

Only 1.3 million computers left being infected by Conficker.C (April 2)

Up till now the whole world has gone through April 1, and it is possible to assure that the Conficker worm did not return as common beliefs. This also coincides with what our Radar system has recorded.

As mentioned in our previous blog entry (/?p=391), this worm may not necessarily come back in April 1, but it can return on any day after this Doom’s Day. Thus, one may come up with two questions.

Firstly, why did April 1 pass without any worm’s updates? Secondly, will Conficker come back, and if yes, when?

Why did April 1 pass without any worm’s updates?

It is preferable to have a look at the algorithm which the Conficker worm creator utilizes to assign the return day.

GetDateTime(Year, Month, Day);

IF (Year >= 2009) and (Month >= 4) and (Day >= 1) THEN SearchforUpdate();

IF UpdateFound THEN GetUpdateFromInternet() ELSE RepeatThisProcessDaily;

OR

This algorithm only indicates that on April 1 Conficker will start tracking the domain (among 50,000 randomly generated ones) from which it can update its new version. If it succeeds, it will download the version and update itself. If not, it will repeat this searching process each day.

What we all see is April 1 passed quietly with no shocking news about Conficker’s return. This was because the worm creator did not provide any new update on the Internet. And as long as the worm has not found any new instruction from its master, nothing happens.

Will Conficker come back, and if yes, on which day?

Conficker is thought to return on April 1. However, the aforementioned analyses point out that this day is not different from April 2, 3…The worm’s code also shows that the malware poses the same risk on the subsequent days. And the return day totally depends on Conficker creator.

So will the worm return? Yes, it can come back. And when will it return? It can return on any day.

“Best practice is to protect your computer with most recently updated tools and Microsoft’s patch other than waiting for the worm to return.” Said Quang Tu Nguyen, CEO of Bkis. “It is like you never know when the earthquake strikes, rule of thumb is to get yourself prepared with a specially designed house other than sitting still and trying to predict the day it comes.”

Finally, this is the latest update of globally infected computers which our Honeypot and Radar Systems have recorded on April 1.

The number of infected computers in the world amounts to 1,384,100 China has the most number of computers infected by Conficker.C with 13.68 percent, next comes Brazil with 10.44 percent.

In the previous mail we stated that Conficker might originate in China. We are currently making close monitoring over the daily generated domain names in order to find clue on whoever created the worm.

Statistics

Statistics of computers infected by Conficker.C

confickerglobalmonitoring-v2

Conficker Global Monitoring System

Reported from Asia and Europe: Conficker hasn’t come back yet! Only 1.1 million computers left being infected by Conficker.C (April 2)

Yesterday, two systems supervising the activity of Conficker 24/24 are set up by Bkis. The first system is Honeypot to trap Conficker “call home” globally. And the second is Bkis Radar System to find the source of the distribution by scanning 50 thousand domain names that Conficker might use on April 1st.

“Because the time zones vary between countries around the world, while America has just started the day of April 1st, most countries in Asia and Europe have already experienced it. The statistic results collected by Bkis Radar and Honeypot Systems show that Conficker hasn’t shown any sign that it is returning in Asia and Europe. However, this doesn’t assure that the worm won’t return on April 1st as it still takes 16 hours more for America to pass this day.” said Nguyen Tu Quang, Bkis CEO.

The Honeypot of Bkis also reports that 1.1 million Conficker infected computers “called home” in 102 Asian and European countries have pass the first of April, among which China has the most number of computers infected by Conficker.C of 17.57 percent, next comes is Russia with 10.18 percent.

Statistic of computers infected by Conficker.C

Statistics of computers infected by Conficker.C

confickerglobalmonitoring-v2

Conficker Global Monitoring System

Our Honeypot has also recorded that the first call home was from Korea at 0:37 GMT. After 24 hours in Asian and European countries, most of the computers infected Conficker.C have called home. There has not been any new version of the worm updated yet.

So the number of computers infected by Conficker.C has decreased compared to the previous statistic of 10 million computers. This might be due to the fact that users have updated their Windows operating system with the MS08-067 security patch and scanned their system for viruses.

We will continue to track and update information when there are new happenings.

About Bkis

Vietnamese leading Internet Security Company in Asia - Pacific. Cofounder of APCERT - Asia Pacific Computer Emergency Response Teams. Bkis is known as an antivirus vendor with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.

Recently, in September 2008, Bkis discovered the SaveAs Function vulnerability in Google Chrome and Face Recognition Algorithm in Asus, Lenovo and Toshiba laptops.

http://www.google.com/search?hl=en&num=100&q=bkis+chrome+flaw&btnG=Search

http://www.google.com/search?hl=en&num=100&q=bkis+face+recognition+fake+firm&btnG=Search

 

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet