Conficker is still actively hitting millions of new machines.
Conficker infected or tried to infect 1.7 million Windows PCs in the fourth quarter of 2011, three years after it first said hello to the world. The 1.7 million was an uptick of 100,000 from the previous quarter, Microsoft officials said.
“Users are still struggling and battling with Conficker,” said Tim Rains, a director in Microsoft’s Trustworthy Computing group. “It’s surprising that it has this kind of staying power.”
The worm first appeared in the fall of 2008, exploiting a just-patched Windows vulnerability. It soon morphed into a much more effective threat, adding new attack techniques, including one that relied on weaknesses in Windows XP’s and Vista’s AutoRun feature. By January 2009, some security firms estimated Conficker had compromised millions of PCs.
Concern about Conficker reached its height when the mainstream media reported the worm would update itself on April 1, 2009. Because of the size of the Conficker botnet — estimates ran as high as 12 million at that point — and other mysteries, hype ran at fever pitch.
In the end, Conficker’s April 1 update passed quietly. But the worm, although prevented from communicating with its makers, has not gone away.
“It’s still out there and active,” Rains said. “It’s been the number one threat in the enterprise for the last two-and-a-half years.”
Microsoft — which collects data from its Malicious Software Removal Tool (MSRT), a free utility it distributes to all Windows users each month, its antivirus software, its Bing search engine and the Hotmail email service — said detections of Conficker jumped 225% since 2009.
The current size of the Conficker botnet is around seven million PCs, Microsoft said.
Conficker-infected systems are unable to receive updates or orders from the hackers who made the malware.
The Conficker Working Group, a group of security researchers and companies, among them Microsoft, has been blocking the worm’s command-and-control (C&C) domains since early 2009. By sinkholing those domains — registering all possible C&C domains before the hackers do — the group prevented Conficker-infected PCs from doing any real harm. Commands issued to the botnet fall down a metaphoric “sinkhole” and don’t reach the compromised computers.