Conficker Still Growing, Though Slowing?

By Matthew Hines  |  Posted 2009-03-04 Print this article Print

The Conficker botnet might as well have been named the Confounder botnet up until recently, but some experts think that despite the attack's continued proliferation, there may finally be some light at the end of the tunnel.

Looking at various reports highlighting Conficker's worming propagation during the month of Feb. it's clear that the attack was still charging its way across the IT landscape with a pace something akin to reckless abandon.

In fact, among the roughly 7750 active Conficker botnet communication domains recently tracked by researchers at Sophos, the experts found the URLs of some pretty well known businesses, including Southwest Airlines, noted SophosLabs researcher Mike Wood in a recent blog post.

Alongside some far less known Web properties, shameless malware fronts and a lot of vacant, for-sale domains involved in Conficker, Wood observed that the ability of the attack to somehow subvert the URLs of trusted companies like Southwest will continue to make it hard for researchers, even the vaunted Conficker Cabal led by Microsoft and ICANN, to clamp down on the threat rapidly.

It will also lead to suffering on the part of those involved when their sites start getting blocked because of their involvement in the botnet, he predicted.

"A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a block list and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack," Wood writes.

Some experts are predicting that Southwest's site may even give way to a DDoS style influx of Conficker traffic, leaving consumers without access, perhaps even later this week.

Other reports charted the Conficker virus and "its brethren" as ranking among the leading attacks tracked during the month of February.

Despite ongoing efforts by the Conficker Cabal to get out ahead of the attack and choke off the supply of new domains it seeks to suck into its path, one variant of the threat alone, Trojan.AutorunINF.Gen, ranked third among all the malware campaigns observed by anti-malware provider BitDefender during the month.

Yet, while there is no clear sign of Conficker slowing down, some experts have seen indications that things may finally be moving in the right direction.

Jose Nazario, a well-known botnet expert employed by enterprise security tools vendor Arbor Networks, observed that Conficker's run may have already peaked.

"I suspect that things like this are always best determined long after they've happened, but we've seen Conficker numbers host steady at 3 million unique IPs a day for the past week, so maybe it's just topping out," Nazario wrote in a recent blog post.

The work of the Cabal, of which Arbor is a member, may finally be helping ISPs from preventing the attack to sink its teeth into their IP address roles, the expert maintains. Time will tell if Conficker has indeed maxed out but one could reasonably expect that copycat attacks may arise in the future.

One could argue that anti-botnet technology vendors including Damballa have their own interests at heart when they cite the need to deploy dedicated tools throughout the enterprise to stop botnets from running wild. However, if there's one thing that Conficker has proven, it's that the larger security industry, even some of its most influential players, haven't figured out a manner of stopping the worst iterations of the threats from leaving their mark around the globe.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel