Jan 16, 2009 Conficker worm spikes, infects 1.1 million PCs in <24 hours
By: Joel Hruska
It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.
The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.
Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords. This last bit is an important new feature of Conficker.B; a complete list of the passwords it checks for can be found here. If Conficker.B manages to successfully guess a password, it moves in and continues hunting for new targets.