According to Symantec, China and Argentina are the countries that have been hit hardest by the worm, which started spreading about two months ago but is thought to have infected millions over the past few weeks. China accounts for close to 29 percent of the infections tracked by Symantec, and Argentina was second with just over 11 percent, according to Alfred Huger, vice president of Symantec Security Response. “We’re not seeing anywhere near the number of infections in western Europe and North America.”
The worm, known by several names including Conficker and Downandup, has been spreading by taking advantage of a flaw in a Windows Server service that Microsoft patched last October. Conficker can also spread by guessing administrative passwords on a network and infecting USB devices that connect to computers.
Infection rates in the U.S. are closer to the 1 percent level, Huger said.
Phil Porras, program director at SRI International, said the worm has hit China, Brazil, Russia and Argentina the hardest. Interestingly, an earlier variant of Conficker would not attack victims who were using Ukrainian keyboards, but the latest version of the worm does.
Huger said the worm’s designer has written special code that operates a certain way on Chinese and Brazilian networks, meaning those two countries may have been targeted by the attackers.
Nobody knows for sure why Asia and Latin America were so hard hit, but Huger and Porras both said countries with large amounts of pirated software were more likely to be affected. “I think that piracy plays a role, though I don’t know if it’s the key contributor,” Huger said.
Both researchers were waiting to see what hackers would do now that they have infected such a large number of computers. Earlier versions of Conficker tried to install a program called Antivirus XP, a notorious rogue antivirus program that infects victims’ computers with pop-up messages in an attempt to trick them into paying for bogus software.
Researchers said the machines could be converted into what would be the world’s largest botnet computer network or sold off piecemeal to criminals.
Infected computers are now regularly visiting about 500 rendezvous points on the Internet looking for instructions. When those instructions finally appear, computer experts will know more about what the worm was designed to do.
“It’s a fantastic spread relative to other threats, and yet the author seems to have become suddenly self-conscious about updating,” Huger said. “Maybe he’s concerned about all the press it’s getting and doesn’t want to go to jail.”