Vietnam has 73,000 of the world’s 1.3 million or so computers infected with the Conficker worm as of Wednesday, making it the fifth worst affected country in the world, a local Internet security center said.
China tops the list with the number of affected personal computers accounting for 17.57 percent of the total, according to Bach Khoa Internet Security (BKIS).
Thanks to its two 24-hour global monitoring systems, BKIS has been able to place Russia, Brazil and India in second, third and fourth positions respectively in terms of the number of infected PCs.
Also known as Downadup or Kido, Conficker is believed to be the most widespread computer worm in Internet history, attacking nine and 15 million PCs since it was released in 2003.
Now, researchers fear the worm might evolve from East to West, beginning in time zones that were first to greet April Fools’ Day to make itself harder to exterminate and its masters tougher to find.
Conficker turns infected PCs into slaves that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.
The worm was partially thwarted on Wednesday by using the Internet’s traffic control system to block access to servers that control the slave computers.
But in cases where the slaves did connect, they did not receive new orders.
The new version, Conficker. C, was expected to reach out to 250 websites daily to download commands from its masters, but on Wednesday it began generating daily lists of 50,000 websites and reaching randomly to 500 of those, analysts said.
However, the hackers behind the worm have yet to give it any specific orders, they said.
While the number of infected PCs is much less than expected by antivirus software makers, the threat is still there, BKIS said in agreement with world expert opinion that the hackers are waiting until they are under less scrutiny before launching a harder attack.
“I never thought it would happen on April 1,” Roger Thompson, chief research officer at the anti-virus firm AVG, told Reuters in an interview. “It might be tomorrow. It might be next week. It might be next month.”
“There are still millions of personal computers out there that are, unknown to their owners, at risk of being controlled in the future by persons unknown,” Trend Micro threat researcher Paul Ferguson told AFP.
“The threat is still there. These guys are smart; they are not going to pull any obvious strings when there are so many eyeballs on the problem,” Ferguson added.
The global security industry has formed a task force to fight it. Vietnam’s contribution is the Vietnam Computer Emergency Response Team, which issued a red alert on March 27.
Microsoft too has assembled a task force that has been working to stamp out the worm, and has placed a bounty of US$250,000 on the heads of those responsible for the threat.
“It is pretty sophisticated and state-of-the-art. It definitely looks like the puppet masters are located in Eastern Europe,” Fergusson said.
BKIS Director Nguyen Tu Quang told local newswire ICTnews that their code analysis of Conficker showed it to be similar to Nimda, a computer worm released in 2001 that BKIS identified as originating in China.
Viruses that turn PCs into slaves exploit weaknesses in Microsoft’s Windows operating system. The Conficker worm is especially tricky because it can evade corporate firewalls by passing from an infected machine to a USB memory stick, then to another PC.
While the Conficker botnet is still inactive, analysts say millions of machines in other networks are regularly ordered to perform tasks for their masters.
The botnet’s owners often sell the slaves or rent them out, offering services such as credit-card and banking information theft. They can be customized to perform other tasks, such as knocking down websites and bringing down corporate networks.
“The worst thing is that no one really knows what these things can do. These things can be programmed to do anything,” said Mel Morris, CEO of anti-virus company Prevx.
Conficker garnered unprecedented attention in recent days because it is unusually large – most have no more than a few million slaves – and because it was coded to mutate on April Fool’s Day.
While estimates vary greatly, researchers say tens of millions of machines are compromised without the knowledge of their owners.
Alfred Huger, a senior researcher with Symantec, thinks Conficker has the stamina to survive several years. He believes the motives of the army’s commanders are the same as those of the other botnets in cyberspace.
“I think it will be a fairly vanilla botnet,” he said.