It has been a year since WORM_DOWNAD.AD (aka Conficker) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000.
In recent months, things have been relatively quiet in the DOWNAD/Conficker front. This does not mean, however, that the world is now safe from a similar massive number of infections that it previously experienced. In fact, data released by the Conficker Working Group, of which Trend Micro is part of, proves that the worm remains active. Recently released data also shows that there has been an average of more than 100 million unique IP addresses connecting to the group’s tracking systems in the first week of 2010 alone. The graph below shows the number of unique IP addresses connecting to the tracking systems in a span of one year.
These figures are further supported by the State of the Internet report for Q3 2009 from Akamai. Based on the report, there continues to be significant port 445 activity. Updates on the worm further show that there has been a change in the trend with most attacks now originating from Russia and Brazil, replacing China and the United States as the top 2 sources of traffic.
As such, users should consistently patch their systems and programs as soon as fixes are made available. It is also advisable to continue disabling AutoRun to reduce risks of infection propagation or reinfection.
Trend Micro™ Smart Protection Network™ protects users from all known variants of DOWNAD/Conficker in real-time by blocking access to identified malicious sites and domains and by detecting and preventing the download of malicious files.
The firewall modules available in Trend Micro’s desktop products stop DOWNAD/Conficker from spreading in networks. Moreover, applying the Trend Micro Deep Security solution assures protection on servers and clients against this particular and other network attacks.