NEWS FROM THE LAB - Friday, February 27, 2009

Downadup, Good News / Bad News Posted by Response @ 18:59 GMT

First the bad news: There's still a lot of Downadup (Conficker) infections out there.

Our February 5th post noted 1.9 million unique IP addresses connecting to our sinkhole. We're now logging something around 2.1 to 2.5 million. The log files are huge and can be very time consuming…

Here's the good news: Despite the ongoing infections, progress was made against the worm.

Domains monitored by our sinkhole can no longer be registered. The worm's ability to phone home has been crippled. This is due to a collaborative effort within the industry.

On February 12, 2009, Microsoft announced a $250,000 USD reward for information. Microsoft's Conficker Worm page has details. Bounties have been successful in the past, e.g. Netsky's author, Sven Jaschen.

Our January 30th post provided a Downadup domain blocklist for the month of February. While the domains no longer need to be blocked, such a list can still be useful to monitor for infected machines within your own network.

You can download a ZIP file with domains in use until June 30th from the Microsoft Security Response Center.

Our Removal Tool is called f-downadup.