Where in the World Is DOWNAD/Conficker?

It has been a year since WORM_DOWNAD.AD (aka “Conficker”) began a trail of system infections around the world. Since then, Trend Micro has detected new variants, including WORM_DOWNAD.KK, which proved to be an upgraded version that enabled the worm to increase the number of domains it generated from 250 to 50,000.
In recent months, things have been relatively quiet in the DOWNAD/Conficker front. This does not mean, however, that the world is now safe from a similar massive number of infections that it previously experienced. In fact, data released by the Conficker Working Group, of which Trend Micro is part of, proves that the worm remains active. Recently released data also shows that there has been an average of more than 100 million unique IP addresses connecting to the group’s tracking systems in the first week of 2010 alone. The graph below shows the number of unique IP addresses connecting to the tracking systems in a span of one year.

These figures are further supported by the State of the Internet report for Q3 2009 from Akamai. Based on the report, there continues to be significant port 445 activity. Updates on the worm further show that there has been a change in the trend with most (continue reading...)