Variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies.
“Although mainstream and industry media coverage of the Conficker worm and its variants has dropped significantly since peaking in the second quarter, it is clear from this data that the worm (and its variants) is apparently still quite active, searching out new systems to infect,” Akamai said in its State of the Internet report for the third quarter of 2009, released Thursday.
During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.
Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent, it said.
“Port 445 was overwhelmingly the top port targeted by attacks originating in Russia and Brazil, which may indicate the presence of a large number of systems in both countries actively participating in Conficker-related botnets,” Akamai said.
While Microsoft has issued a patch that fixes the vulnerability exploited by earlier versions of Conficker, experts believes the worm remains active because many infected machines are running unlicensed copies of Windows and don’t have access to security updates.
Citing figures from the Conficker Working Group, Akamai noted that the number of Conficker.A and Conficker.B infections worldwide rose during the third quarter, while infections of Conficker.C declined during the same period.
However, recent numbers estimates for the number of Conficker infections appear to have moderated somewhat, with the number of computers infected with Conficker.A or Conficker.B dropping from a high of around 6.7 million in late October to around 6.3 million machines today.
The number of Conficker.C infections has declined from 400,000 computers in late October to roughly 280,000 today.