As Conficker Turns, Botnets Burn

By Matthew Hines  |  Posted 2009-04-27 Print this article Print

So, whatever happened to Conficker?

Well, it's still sitting there. And depending on whether you believe that it's still rotting on 15 million endpoints or more, or as Kaspersky researchers recently estimated, only about 200,000, it's there. Doing something, or things. Occasionally being used to generate spam-driven malware campaigns, occasionally updating itself.

Some people think that Conficker was too good for its own good, and spread so quickly that it lessened its eventual punch by raising the hackles of everyone from U.S.-CERT to "60 Minutes."

Others think that it's pretty much done what it was designed to do, which was take advantage of a ton of machines that never got updated with an available Windows security patch from Microsoft.

But if we are in the end to judge it by its behavior, basically, it's just your average botnet being used for fairly run-of-the-mill badware and spam distribution. If anything, it's been acting a little sluggish, compared to other (known) botnets of its class.

Meanwhile, while everyone's been scratching their collective chins and wondering what Conficker is built for, other more heavily tasked botnets are cranking away with reckless abandon.

According to a report issued by botnet researchers at Web gateway vendor Marshal8e6 on Monday, some of the hardest working botnets, including the Rustock and Xarvester networks, are creating individual zombie computers that can send up to 600,000 spam messages in a 24 hour period.

"Over the past few years, botnets have revolutionized the spam industry and pushed spam volumes to epidemic proportions despite the best efforts of law enforcement and the computer security industry," Phil Hay, a senior threat analyst at Marshal8e6's Tracelabs, said in a report summary.

While Conficker is putzing around trying to find itself, the Xarvester, Mega-D, Gheg, Grum, Donbot, Pushdo, Bobax, Rustock and Waledac botnets are cranking out more than 70 percent of the world's total spam, the report contends.

And while infected Web sites have become the primary attack model for malware distributors in recent years, the sites typically rely heavily on e-mail driven social engineering campaigns to lure visitors into clicking over.

"The spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent," the researchers said.

Over the last three months, the Pushdo (26.1) and Rustock (20.6) botnets alone have accounted for just under 50 percent of all the world's spam, outranking its peers by a significant margin, Marshal8e6 said.

The company reported that its data, compiled during the first quarter of 2009, represents two years of observation into the inner workings of the botnets.

So, let me get this right. We've known about Rustock for years, and it's pounding out nefarious content, we can't seem to stop it, yet we're obsessed with Conficker.

Perhaps we should be measuring the potency of these botnets based on their output, versus measuring their notability by their stature. Because when it comes to which of the attacks is doing the most damage, it seems like that race is already over.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel