Both IBM ISS and OpenDNS have counted more infected IP addresses than they have hoped for

Apr 3, 2009 12:40 GMT  ·  By

After implementing Conficker.C traffic detection mechanisms in the solutions they offer, both IBM and OpenDNS have counted the number of unique IPs infected with the worm as reported back from the networks they monitor worldwide. Both companies say that what they have seen has exceeded their expectations.

On April 1st, one of the update mechanisms of the infamous Conficker worm went into full action and the infected machines started randomly querying 50,000 automatically generated domain names in search for a command and control server. This allowed companies offering firewall-type or other content-filtering solutions to count the number of infected computers by monitoring the requests for those domains.

OpenDNS is a free service employed by home users, companies and educational organizations to block access to phishing, malware, adult, social networking, video sharing, or other high-risk websites on their networks. It works by changing the default DNS servers provided by ISPs with the ones managed by the service.

The company estimates that over 10 million users are employing its DNS services and has found that around 500,000 of them have been infected by Conficker.C, the worm's latest variant. According to Network World, David Ulevitch, the founder of OpenDNS, has commented that this number is a lot higher than what they were hoping for and that the problem is "probably bigger than people think, based on what we're seeing here."

The OpenDNS team has also split the numbers by country and has concluded that Asia is the most confickered continent, with Vietnam counting 13% of all detected infections, followed by Brazil (12%), the Philippines (11%) and Indonesia (10%). The United States have only amounted to 5% of all computers infected with Conficker.C

Meanwhile, IBM's Internet Security Systems (ISS) division has engaged in a similar study using the data received from customers employing its network appliances. The ISS team has watched for Conficker.C peer-to-peer traffic and has registered 221,598 unique infected IP addresses over the course of three days.

The researchers have compared that number with the total one of IP addresses registered for all security-related incidents, and have gotten a 4%. "It is higher than what we expected; I thought we'd see 1 to 2 percent," Holly Stewart, an ISS threat manager, told Network World.

IT security professionals are hoping to see a decrease in the number of computers affected by the Conficker worm in the near future. This is because two researchers from the Honeypot Project have recently devised a method that allows administrators to easily identify infected systems on their networks. This technique has already been incorporated into the most popular free and commercial network scanners.