Conficker Remains Mystery at RSA Security Conference

After all the hype and a concerted effort by the security research community, much still remains unknown about those behind the Conficker worm. At the RSA Conference in San Francisco, attendees express a mix of skepticism and anticipation about the worm still plaguing Windows PCs.

The Cyber Secure Institute recently added one more number to think about when the security community hears the name Conficker-9.1 billion.

That is how many dollars were lost in terms of wasted time, resources and energy as the cyber-community dealt with the worm, variants of which over the past several months have infected millions of PCs.

Still with the relatively small efforts being made to monetize the worm, some at the RSA Conference half-jokingly wondered if the Conficker worm's authors were mainly interested in sending the security community into a tizzy while experimenting with ways to build a well-armored piece of malware.

Click here to see scenes from the 2009 RSA Conference.

At the conference, held in San Francisco April 20 to 24, researchers expressed mixed opinions about whether the fear generated by hype about Conficker was useful or harmful. Weeks after the worm's "big day" of April 1, however, researchers can still only speculate as to what will happen when the latest variant, widely known as Conficker.E but also known as Downadup.E, reaches its "untrigger date" in May.

Security expert Bruce Schneier noted in a blog post during the conference that the fact that Conficker's authors gave people a specific date to anticipate helped crystallize the fear many felt.

"It's a specific threat, which convinces us that it's credible. It's a specific date, which focuses our fear. The huge, menacing buildup and then nothing is a good case study on how we think about risks," Schneier wrote.

The exact number of Conficker infections overall remains in dispute, but the Conficker Working Group currently has the number of unique IPs infected with variants A, B and C at more than 3.5 million.

Kaspersky Lab recently analyzed peer-to-peer traffic between Conficker-infected computers and found about 200,000 unique IPs were participating in the P2P network. Kaspersky cautioned however that that number only includes computers participating in the network, and that the actual number of infected PCs is much higher.

There has been relatively little in the way of income-producing activity tied to Conficker. The worm has turned up in connection with a scheme to trick victims into paying for rogue anti-virus software. However, other than that, there has not been a huge stream of money coming from the worm's network of infected bots, numerous researchers said.

"Right now the motives are not completely clear," said Steve Manzuik, senior manager of security research and engineering at Juniper Networks. "But it would seem to me that there will be a money-making attempt simply based on the effort put into the code."