3.5m hosts affected by the Conficker worm globally

Conficker 445 Port SANSA recently conducted experiment by F-Secure estimates that approximately 3.5 million hosts have been infected with W32/Conficker.worm also known as W32.Downadup spreading through the now patched MS08-067 as of November, 2008. Basically, F-Secure’s experiment took advantage of the very same domain registration algorithm that the cybercriminals were using in order to temporarily redirect some of the infected hosts and in the meantime count the number of infected hosts.

With several new Conficker variants released since the original November campaign, the worm’s authors seem to be diversifying the propagation vectors in order to increase the worm’s lifecycle.

Conficker Affiliate NetworkThe latest propagation tactics include USB spreading, network shares spreading, and according to McAfee, the latest samples that they’ve analyzed are attempting to exploit only English language OS versions thanks to an OS fingerprinting feature within a Metasploit exploit used by the worm’s authors.

Ever since the first release of the worm, the authors’ criminal intentions became pretty evident. Infected hosts would be exposed to fake security software claiming that the host’s security has been compromised — appreciate the irony here — with the worm’s authors earning $30 for each and every successful sale of the bogus security software. This approach of monetizing malware infected hosts through an affiliate-based network is one of the main incentives for assembling a botnet these days.

[Source: zdnet]