Conficker: 'Headless Botnet' Still Infecting Windows Users

Researchers say the notorious Windows worm has created a "headless botnet" - but one that continues to maintain a hold of millions of computers. A year after the infamous April 1 doomsday deadline, the investigation into the masterminds of the worm continues.

On April 1, 2009, the Conficker worm played an April Fools' Day joke of its own on those who predicted an Internet meltdown.

But instead of a meltdown, infected computers only got a slight update in functionality, followed by brief attempts to rope them into rogue antivirus scams and then months of silence. Right now, Conficker appears to be a "headless botnet," opined F-Secure Chief Research Officer Mikko Hypponen, a massive Web of millions of computers that isn't doing much of anything.

"The gang has done nothing over the last 12 months as far as we can see," he told eWEEK.

Vincent Weafer, vice president of Symantec Security Response, agreed. Beyond computers infected with Conficker.C downloading the Waledac malware and rogue antivirus program SpywareProtect 2009 last April, the botnet has not really stirred, he said.

"However, it's important to remember that with an army of nearly 6.5 million computers, the threat remains a viable one and should not be dismissed," he added. "To put this into perspective, the Mariposa botnet reportedly infected more than 11 million computers during its lifetime and the Rustock botnet, which actually sends out 32.8 percent of all spam, is estimated to sit on somewhere between 1.6 and 2.4 million machines. So, Conficker may not be the biggest botnet ever, but it certainly is a major one."

Perhaps not surprisingly, there is little news about the identities of those responsible for the worm. But there is a digital trail of bread crumbs that law enforcement can follow-such as the source of domain registrations, code similarities with other malware and the source of rogue spyware associated with the malware, Weafer noted.

"Tracing a worm back to its origin is never an easy task," he said. "Unlike a traditional hacking attack where there is a relatively direct connection between the attacker and victim, a virus or worm is very anonymous and indirect. The author creates the virus and releases it into the wild, perhaps never directly communicating with it again. Infection and control commands are directed from other victim systems in multiple countries using encrypted communications, so it takes a lot of time and effort to track down each system in the chain, and by the time law enforcement gets a court order to access the data, the evidence may be no longer available.

"In the past, virus writers have been identified from postings they have made online ... information provided by their friends for bounties or dispute, or because they directly connected to the virus or bot from systems registered in their own name," Weafer said. "For professional criminals, however, these are not usually mistakes that they make."

Microsoft still has a $250,000 bounty out for information leading to the arrests of those responsible for Conficker, which got its start exploiting a Windows vulnerability in November 2008. Variants B and C (also known as B++) also spread by abusing Windows' AutoRun feature for USB devices. But for all the computers the worm infected-and continues to infect-its biggest legacy may end up being the way it brought various vendors and security researchers together.

"The Conficker Working Group was probably the best example of cross-industry cooperation I've seen during my professional career," Hypponen said. "I think the biggest lesson we learned was how much more powerful we are together."