Conficker Did Not Melt the Internet
But it is busy.
Last week’s April 1 trigger date for the new routines in Conficker.C/D (depending on the vendor) was mis-reported by some press agencies as the date many in the CWG said the Internet would melt down. Not quite. The press has been busy with the story as a hype leading to fizzle angle etc. Sure enough, the Internet kept on trucking. Here’s a view from one BGP peer during that time, no big change in traffic from the days prior:
Some folks even said Conficker was sleeping.
Not quite. It’s not DDoSing, but it is apparently doing it’s thing, or “Confickering” as a friend said. It’s dropped a new E variant over P2P. Some reports are seeing it talk to a Waledac domain but not everyone is.
As for why a possible Waledac (aka Storm) connection, we do not know.
So, what happened? It looks like the DNS lockout has been working; I suspect the attackers also noticed the great de-peerings of bad ISPs that have been going on for a while and decided to avoid hosting a C&C in one of those and instead went the P2P route. For details on how the bots know how to talk to other bots over P2P see the LEXSI CERT blog.
We have no additional info to give outside of those above links. If you’re following this story this is a major development.
Other Conficker Stuff
IBM/ISS has interesting stats on Conficker infections based on their P2P models. Some in the press have said these numbers mean 4% of the Internet is infected with Conficker. Not quite. As Vint Cerf pointed out, it helps to know the denominator when you make those sorts of population claims. As I’ll point it, it also helps to know what you’re measuring. We know Conficker has a big population, but we also know our measurements are only a lower limit (based on IP visibility etc).
We’re seeing a rise in TCP/445 scanning. 3wks of ATLAS data for the top 50 scanners is shown below, a clear rise in this time:
We think this is related to new Conficker activity in this timeframe.
UPDATE April 10
Oh and Mafiaboy, Conficker was not a ruse.