The malware makers who crafted Conficker must be extremely disappointed, a security expert said today, and not because the Internet didn't come crashing down as some of the wildest speculation had predicted.
“All of their work has gone for naught,” said Alfred Huger, vice president of development for Symantec Corp.'s security response team, referring to the hackers who created the Conficker worm.
Ironically, it was the extraordinary success of Conficker that made the hackers' work essentially a wasted effort, Huger said. “Most of the work done on Conficker was because of all the attention it got, absolutely,” he said, pointing to the drumbeat of coverage since the worm first surfaced in November 2008 and the frenzy that led up to today, when its newest variant started switching to a new communications scheme.
“This is the biggest worm, in terms of press coverage received, since we experienced Code Red,” Huger noted. Code Red, which struck Microsoft Corp.'s server software in 2001, slowed networks to a crawl. “And that's great. I think the threat was genuine, and without all the attention, it could have been a big problem.”
The anti-Conficker efforts prompted by that attention included the so-called “Conficker Cabal,” a consortium of researchers and companies that have tried to disrupt the worm's “phone home” ability. Other researchers, meanwhile, exploited a Conficker flaw to create a scanner that quickly detected infected PCs.
The beginning of the bad news to Conficker's makers was in January, Huger said, when the worm's profile soared as it infected millions of Windows PCs. “The distribution is what got everyone's attention, because it got so big in such a short time,” Huger said. “And the fact that it was exceptionally well written, that was in intriguing to [security] researchers.”
Vincent Weafer, another Symantec security response executive, put it succinctly earlier this week. “In reality, the author or authors probably didn't intend for this malware to get as much attention as it has,” he said in an e-mail. “Most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful.” “I think this just fades into the background noise of bot networks,” Huger said today. “It's a large botnet, but not the largest.”
How large is still unknown. Although estimates of the size of the Conficker-infected pool have ranged from 1 million to 12 million, it has been difficult to pin down the number of computers infected with Conficker.c, the newest variant and the one that sparked the massive coverage leading up to today.
It was the April 1 date hard-coded into Conficker.c that had some people on edge; today was when Conficker.c would be told to begin using a new method of reaching its command-and-control servers. Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily.
Most security experts had predicted that nothing unusual would happen today, and they were proved right. “It hasn't changed significantly,” said Holly Stewart, the threat response manager for IBM Internet Security System's X-Force group. “We monitored it closely overnight into this morning, [and] we see more hosts, but the chatter is about the same.”
Last week, X-Force researchers deciphered Conficker.c's peer-to-peer traffic — another way the worm uses to reach its controllers — and has used that to detect machines infected with the malware.
“After a few more days, I think we'll have a better feel for the overall infections,” Stewart added later on the X-Force blog.
Other researchers echoed the “not much is happening” message. “McAfee Avert Labs is seeing Conficker-infected hosts attempting to call their master to get instructions, [but] those calls are not getting through,” said Dave Marcus, a researcher at McAfee Inc., in an e-mail today.
“I'm sure there are lessons they've learned,” said Huger, speaking of Conficker's makers. “They'll want a quieter spread mechanism next time, and maybe won't try to disrupt access to security companies' Web sites,” he said.