Researchers say the notorious Windows worm has created a "headless botnet" - but one that continues to maintain a hold of millions of computers. A year after the infamous April 1 doomsday deadline, the investigation into the masterminds of the worm continues.
On April 1, 2009,
the Conficker worm played an April Fools' Day joke of its own on those who predicted
an Internet meltdown
But instead of a meltdown, infected computers only got a slight update in
functionality, followed by brief attempts to rope them into rogue antivirus
scams and then months of silence. Right now, Conficker appears to be a
"headless botnet," opined F-Secure Chief Research Officer Mikko Hypponen, a
massive Web of millions of computers
that isn't doing much of anything.
"The gang has done nothing over the last
as far as we can see," he told eWEEK.
Vincent Weafer, vice president of Symantec Security Response, agreed. Beyond
computers infected with Conficker.C downloading
malware and rogue
SpywareProtect 2009 last April, the botnet has not really
stirred, he said.
"However, it's important to remember that with an army of nearly 6.5 million
computers, the threat remains a viable one and should
not be dismissed
," he added. "To put this into perspective, the Mariposa
botnet reportedly infected more than 11 million computers during its lifetime
and the Rustock botnet, which actually sends out 32.8 percent of all spam, is
estimated to sit on somewhere between 1.6 and 2.4 million machines. So,
Conficker may not be the biggest botnet ever, but it certainly is a major one."
Perhaps not surprisingly, there is little news about the identities of those
responsible for the worm. But there is a digital trail of bread
crumbs that law enforcement can follow-such as the source of domain
registrations, code similarities with other malware and the source of rogue
spyware associated with the malware, Weafer noted.
"Tracing a worm back to its origin is never an easy task," he said. "Unlike
a traditional hacking attack where there is a relatively direct connection
between the attacker and victim, a virus or worm is very anonymous and
indirect. The author creates the virus and releases it into the wild, perhaps
never directly communicating with it again. Infection and control commands are
directed from other victim systems in multiple countries using encrypted
communications, so it takes a lot of time and effort to track down each system
in the chain, and by the time law enforcement gets a court order to access the
data, the evidence may be no longer available.
"In the past, virus writers have been identified from postings they have
made online ... information provided by their friends for bounties or dispute, or
because they directly connected to the virus or bot from systems registered in
their own name," Weafer said. "For professional criminals, however, these are
not usually mistakes that they make."
Microsoft still has a $250,000 bounty out for information leading to the
arrests of those responsible for Conficker, which got its start exploiting
a Windows vulnerability in November 2008. Variants B and C (also known as
B++) also spread by abusing Windows' AutoRun feature for USB
devices. But for all the computers the worm infected-and continues to infect-its
biggest legacy may end up being the way it brought various vendors and security
"The Conficker Working Group was probably the best example of cross-industry
cooperation I've seen during my professional career," Hypponen said. "I think
the biggest lesson we learned was how much more powerful we are together."