Remember all the fuss about Conficker earlier this year? The worm spread like crazy and everyone expected it to do something terrible on April Fools' Day.
Then when the day came, nothing happened. Life went on, the Internet didn't collapse, and most people decided it was just another one of those scare stories (remember the Millennium Bug).
But as we approach the first anniversary of the infection -- it was first detected by the Microsoft Malware Protection Center on November 21, 2008 -- the bad news is that a Conficker botnet is still very much alive. Between 6 million and 7 million machines around the world are currently infected, and infections are still creeping up.
So should we worry? Although the malware is very good at spreading and defending itself once installed, it doesn't destroy files or steal information -- yet.
In the early stages, Conficker certainly caused a lot of trouble, infecting hospital systems, the U.K. Parliament and the Navy. In one incident, a number of French military aircrafts had to be grounded as they were unable to download flight plans due to Conficker. The cleanup costs across the world have been enormous.
Conficker has the ability to spread via USB sticks, as well as over a network. As recently as August, Whipps Cross University Hospital NHS Trust in east London admitted it had just managed to contain an infection of 30 machines, probably caused by an infected USB stick.
And even though Conficker does not destroy
Also, from its second variant, the worm began to disable Windows Update and blocked access to the majority of antimalware websites. In the words of Alexandru Catalin Cosoi, a researcher with Bucharest-based BitDefender, "Conficker's mission until now has been to create a worldwide army of yet-dormant machines, able to communicate, update and receive orders, while also neutralising any defence system in place. Any infected machine can be exploited anytime from now on. It is like having a house with a door wide open all the time, even when you sleep or go to work or on vacation."
And that is the problem: Although the authors of the Conficker botnet have so far made little use of their brainchild, they have created a vast network of machines that could wreak havoc some time, destroying local files, stealing information or launching DDoS attacks.
However, much has already been done to limit the effects of Conficker, and to track down the culprits. In an unprecedented move, when the scope of the threat was realised, the international security industry came together with law enforcement and formed the Conficker Working Group, which still operates and tracks the worm's progress.
According to Eric Sites, CTO of Sunbelt Software Inc. and member of the Conficker Working Group, the threat of getting caught may have prevented the culprits from showing their hand too openly.
"It's taken an enormous amount of money to clean up after Conficker, so if the person does try to use the network and gets caught in the process, then he's going to go to jail for a long time," he said. "We have narrowed it down to a specific country, and we have a lot of sensors out on the network to try to pinpoint where the communication is coming from. Almost every AV company has a version of Conficker installed in a dirty network waiting for it to update itself to see what is happening and to track the guy down."
Nevertheless, the network has been used for criminal activity. The E variant of the worm, released on April 8, downloaded the Waledac spambot, and started pumping out scareware messages to get people to buy rogue AV software.
For Rodney Joffe, who is also a founder and director of the Conficker Working Group, the Waledac spambot was a significant turning point. "Up until April 8, there was every possibility that Conficker was an experiment that had gone horribly right for a researcher," he said. "At that point we knew we were dealing with people who would use it as a platform to download whatever malicious software they wanted."
He added that the new variant exposed a sophisticated business model. "It is interesting that they only downloaded Waledac if the date was before April 22. In effect, they rented the use of the Conficker botnet to the authors of Waledac for two weeks."
Each new version of Conficker has also demonstrated a level of technical sophistication that Joffe finds alarming. For instance, the code uses MD6, an extremely advanced encryption algorithm developed by Professor Ron Rivest (he's the R in RSA), which is a possible candidate for use by the U.S. government in the next decade.
As Joffe explained, after a buffer overflow vulnerability was discovered in the MD6 algorithm, Professor Rivest produced a patch last February. Within weeks, the patch had been incorporated into the Conficker code. "These guys are hooked into the crypto world enough to know and understand the issues; to recognise the buffer overflow and to have patched it within seven or eight weeks of Ron Rivest's submission," he said. "These are not amateurs. They have chosen an algorithm that is designed to be unbreakable, to defend the U.S. for the next 10 years."
He also noted that while early versions of Conficker used URLs to access command-and-control Web servers, Conficker E uses just peer-to-peer communications, making it much harder to track. "As far as we know, they are currently in touch with all the machines infected with the E variant. But because it is peer-to-peer, we don't know what machines are infected. Unless you have access to one machine on the node, and can see the flow data, you can't tell who else is infected."
How to control Conficker infection
While the security vendors and law enforcement sit poised to pounce on any future use of the Conficker network, individuals and companies just need to follow basic good security practice to avoid infection.
The fact that new infections are continuing to occur is a sign that organisations have become complacent, according to Orla Cox from the Symantec Response Centre in Dublin. "Some companies know they have infections, but they are prepared to live with it, because it's not causing them any real trouble. But it can cause a lot of noise on the network, and become a real nuisance. It's really not good practice to continue with infected machines."
Rodney Joffe agrees: "Organisations are not implementing the defences to stop infection and reinfection -- that's why we're not beating this," he said. "If an organisation gets infected, it's because IT folks are not taking it seriously, or they are not enforcing their rules. They are still allowing people to wander around promiscuously with USB drives and get infected. If companies are still getting infected, names should be taken and heads should roll."
So what can we learn from the Conficker botnet, and what does it tell us about future malware trends?
Most experts agree that the best thing to come out of the Conficker outbreak is the rapid response of the industry and the formation of the working group to monitor its development and help track down the culprits. "It was impressive that we could pull together a concerted response from 110 different countries in the course of a few days to focus on a single threat. That had never happened before," Joffe said. "That will form the basis for how we fight the next battle."
But Randy Abrams, director of technical education at antivirus company ESET LLC, had a more cynical view: "Conficker teaches us very little. Those who practice the most basic of security tenets have little problem with Conficker. Those who refuse to learn from history make the same security mistakes over and over again."