Conficker - The Paris Hilton of Botnets

 
 
By Matthew Hines  |  Posted 2009-03-30 Print this article Print
 
 
 
 
 
 
 

As I was watching Symantec security expert Stephen Trilling brief "60 Minutes" correspondent Leslie Stahl about Conficker last night, I had to shake my head in wonder at how high profile the attack has really become.

For a single malware campaign to gain such specific notoriety just seems pretty unprecedented, at least since anything that we've seen since the ILoveYou virus and the golden era of worms or something. But the fact that Conficker is becoming a household name struck me as somewhat remarkable, it going so mainstream and all.

I actually had to stop and wonder for a minute if all this newfound attention is truly merited, at least in the sense of how significant Conficker is compared to all the massive botnets that came before it and those that will surely come after it. I just had to wonder why it is that Conficker has come to captivate the peering masses as it clearly has, in addition to the usual security research crowd.

I'm not sure that I still understand yet why this is.

When we saw initial reports of Conficker, the most remarkable aspect of the rapidly spreading botnet was that in addition to employing traditional Web and messaging-based means to spread itself, it was also utilizing USB memory device propagation techniques to find its way onto endpoints and networks. Pretty cool, I thought, but not that monumental or anything.

In other regards, it just seemed like another powerful new botnet, one of dozens or more thrashing around the Internet at any given time. But then it just kept coming and coming...

Even with the advancing reports of Conficker's growing presence across major networks, and many enterprises' admissions that they were getting nailed by it, it truly was an eye opener when the whole anti-Conficker Cabal effort was first announced, both in the sense that this one particular threat had attracted so much attention, and in that it was raising the hackles of such a high-profile group of organizations.

When Microsoft and ICANN and a whole trove of other big names are coming after you and putting a $250,000 bounty on your head, you know that you've created something beyond the ordinary. All of a sudden it was clear that Conficker was becoming something historic, or at least it became evident that a lot of influential people thought so.

But, the truth is, the more you look at it, Conficker is really just the latest and greatest iteration of a certain ilk of botnet that we've actually been seeing for a while. A very highly advanced, rapidly proliferating type of botnet generation that reaches at least as far back as the Storm "Worm" campaign that first caught everyone's eye back in Jan. 2007.

Because, despite its name, we all know that Storm "Worm" was actually the Storm botnet, but its newish P2P method of spreading was merely something pretty effective that we hadn't seen an exact replica of before. And it similarly thrived seemingly unabated for a good long time as well.

Now, of course the technical underpinnings of the two botnets represent very different approaches to infection, but their central idea is the same.

That being, the bad guys are constantly toiling to create the next breed of botnet that can circumvent both the defensive means being deployed by end user organizations to stop them, and, even better for the (bot masters), discovering new ways to keep the people who run the backbone networks we all depend on from being able to choke them to death.

All that Conficker has truly done is establish a new pattern built on the ones that we've already seen, but its buzz factor has really impressed of late, especially considering that the attack has already been around for almost 6 months.

Currently, there are a whole bunch of people running around arguing whether or not April 1 will be some sort of Conficker doomsday because apparently the date is buried in the attack's code to the extent that it may have some significance... and just as many experts are already saying that the April 1 thing won't pan out.

Just a few weeks ago, one of the world's foremost botnet experts suggested that Conficker might have already hit its peak, and potentially even be poised to falter.

At the same time, Conficker has become so entrenched in everyone's psyche that the people trying to get end users to download the threat are apparently simply sending it out over Google marked under its own name. That's a pretty direct method of infection, but as evidenced by the "60 Minutes" piece, the attack has become so ubiquitous that a lot of folks are likely going to Google to research it there anyways. Who needs social engineering?

Conficker is unquestionably the current cause célèbre among botnets, which only just a few months ago seemed to be threatened by the ability of researchers to merely shut down a shady hosting company or two. And, we still don't even know what it does, other than spread itself quite effectively.

This is all sort of amusing to me because, the more you follow these attacks, the more you realize how by the time you hear about something like Conficker, especially on mainstream TV, the more likely it is that it's probably already being de-emphasized by the cutting-edge bad guys who've probably already sold it off to someone lesser and moved on to something else that nobody has even heard of yet.

It's interesting to consider why Conficker has become such a media darling. Why now? Why have people decided to care so much in this case? I'm not sure, though, it can't be a bad thing...

But for anyone who has been following botnets, Conficker isn't so much something that seems surprising as much as something that seems inevitable that will mostly likely be soon surpassed by another even smarter form of botnet campaign... it's actually already yesterday's news.

Is the story here that the mainstream is finally getting a fix on botnets?

Well, that's good, but only about five years too late.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel