Conficker worm – the long 2 and a half year long living botnet is still infecting millions of windows machines. It managed to infect 1.7 million PC users in the 4Q of 2011. The first appearance of this worm was in the fall of 2008, when a recently patched windows vulnerability was exploited again. After that, it evolved from a simple exploit to a very effective threat for computers, with new attack techniques, that relies on Windows AutoRun feature weaknesses. Security firms estimated that Conficker compromised several million of computers at January, 2009.
The biggest mystery around Conficker worm was when it updated itself on April 1, 2009, when estimated infected computers were about 12 million at that point. However, that update didn’t succeed, because the makers of this worm weren’t able to communicate with the worm itself, but that’s not all. Conficker still seems to be active. According to Microsoft, detections of Conficker have jumped more than twice up, since 2009.
Cornficker botnet had approximately 7 million of infected PC’s, – Microsoft claims. However, those worm-infected systems aren’t able to communicate with the hackers who made this malware – they can’t update the worm. That is because a company of security researchers, called The Conficker Working Group, blocks the worm’s command and control servers and domains since early 2009.
This team registers all possible C&C domains before hackers do. By that, they create “sinkholes” and prevent hackers from doing any real harm. All the commands addressed to the botnet goes down to a metaphorical “sinkhole” and never reaches the infected computers. However, it’s a cat and a mouse game. Whenever the hackers get loose, millions of PC’s infected by this worm will regain unauthorised hacker control.
A huge increase of Conficker in the last three years. Image by: Microsoft