Conficker Mystery to Continue at Black Hat Conference

For all that has been written and said about the notorious Conficker worm, much remains unknown to the public. Who was behind it? What was their motive?

Unfortunately, those mysteries will not be unraveled this week at the Black Hat security conference, when F-Secure Chief Research Officer Mikko Hypponen gives his presentation on the worm.

“The original plan of what I was supposed to be talking about on Thursday I will not be able to talk about,” he said. “I got requested to not go into detail because of ongoing investigations relating to the real topic of my talk, which was the motives of the Conficker gang … which really is the main Conficker mystery.”

Still, the malware helped build one of the biggest botnets in years—at one point reaching around several million, according to some estimates. In May, even after months of publicity and work by vendors and researchers, the worm was still attempting to infect some 50,000 new PCs daily.

There are still more than a million infected nodes out there, many of them in places like India, Vietnam and Brazil, Hypponen said.

“The good news is that it is dormant,” he said. “My understanding of the people behind it is that these guys were experts in things like encryption and coding … but they probably were not experienced botnet owners.”

If they were, he explained, they would not have violated a cardinal rule of cyber-crime—avoid publicity. It was, after all, the notoriety of Conficker that galvanized the security community into coming together and creating cooperatives such as the Conficker Working Group.

“[Experienced crooks] control the infection rates [and] keep them low on purpose,” he said. “Conficker was running loose and my understanding, or my guess, on why that was happening was that it was the first botnet these guys were operating and they didn’t realize that that’s a bad idea.”

The minds behind the worm may have been newbies to cyber-crime, but their use of the MD6 hash algorithm and their self-defense mechanisms that kept victims from logging on to the Websites of security vendors to clean their systems underscore the level of sophistication involved in the attack. In fact, Conficker.B is believed to be the first production use of the MD6 algorithm.

“I have never seen MD6 used anywhere, much less any malware, except Conficker,” he said.

Though Hypponen is going forward with the presentation, he said he is skeptical the full details of what happened will be made public anytime soon.

“I hope so, but in practice, probably not.”