IBM sees Conficker hitting 4 percent of PCs
IBM is the second company in two days to suggest that the number of computers infected by the Conficker.C worm may be higher than previously thought.
After scanning 2 million computers over the past 24 hours, IBM's Internet Security Systems (ISS) division said Thursday that it had spotted the worm on 4 percent of the IP addresses it monitored.
Although Conficker is clearly the worst worm outbreak in years, the results came as a surprise, according to Holly Stewart, a threat response manager with ISS. "It is higher than what we expected; I thought we'd see 1 to 2 percent," Stewart said.
Late last week, IBM researchers reverse-engineered Conficker and figured out a way to track infections by measuring peer-to-peer traffic on the network. They used that technique to reach their estimate.
The results are similar to numbers released Wednesday by OpenDNS, which said it had also spotted a much larger number of infections than expected. Both IBM and OpenDNS' numbers count Conficker.C, the latest variant of the worm, and one that is easier to spot communicating on the network.
Conficker began spreading in October 2008, using a handful of sneaky tricks to spread. Once it infects a machine, it can spread very quickly on a local area network by taking advantage of a now-patched flaw in Microsoft Windows.
Experts had pegged Conficker infections in the 2 million to 4 million range, but IBM's numbers suggest that they may be much higher than that, perhaps in the tens of millions.
Still, Stewart cautioned against concluding that 4 percent of Internet users had been infected. "It's not a perfect number, nothing is. But it's the best that we can give with the data we have right now."
It's possible that Conficker infections are approaching 4 percent, said Danny McPherson, chief security officer with Arbor Networks. Because Conficker is more likely to infect certain types of users -- broadband consumers are generally more vulnerable than enterprise or government users, for example -- estimates like ISS' could come from a sample that does not represent the Internet as a whole, he said.
Still, by any measure, Conficker is a big problem. "Even if they're off by an order of magnitude -- which is possible -- the number of infected machines is immense."
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
conficker
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Great
That's great, they have an approximation of the number of PC's infected and it's larger that first thought. (There's not much value in this but a little fear mongering.)Given that orgs are already trying to identify their infections, clean, and apply the patch, what would be more valuable is if IBM and others were able to better-understand what the conficker code _does_ and inform us of that. That way, instead of just waiting to be victimized, we could proactively prevent any future attempts/attacks by the bot.