Conficker Mostly a Dud

After tons of breathless media coverage about how April 1st might be the latest “cyber-catastrophe,” the date has come and gone and… nothing happened.

There was, admittedly, some cause for concern.  With 250,000 known machines infected with Conficker.C (and estimates of the full number of infected machines as high as 15 million before antivirus software started knocking them out,) activation of the worm would have created the world’s largest botnet overnight, far surpassing the Storm Worm’s 120,000-machine network.  It would have the power to bring down pretty much any target on the Internet at will, at least for a short time.  People feared that it would be turned against some critical infrastructure target (e.g. the root DNS servers) or major commercial site and bring down the Internet.

And that threat… is still there.  April 1st was only the first day Conficker.C could have been activated — not the only day.  Those infected machines are all out there, still polling for their master every day.  While the mitigations that have been put in place at many domain registrars will greatly reduce its impact, the fact remains that it would still be a huge botnet, not to mention that it could execute arbitrary code on any of the infected machines.  (If you’re worried you might be infected, just check out the rather-ingenious Conficker Eye Chart.)  But with the security industry aware of the threat, chances are that most of the machines that try to “call home” will not find anything listening on the other side, even if the worm’s authors do try to activate it.

If they’re smart, they probably won’t activate it at all.  Since botnet controllers constantly try to steal each other’s botnets, modern worms contain code to ensure that only the author can take control.  In the case of Conficker, this defense is actually very strong — orders for the worm have to be cryptographically signed, using a public-key algorithm.  On one hand, this means no one but the worm’s actual authors can give it orders — but on the other hand, it leaves them holding a smoking gun.  Only the worm’s authors can possibly have the private key that creates the signatures Conficker looks for — which means that possession of that key is all but proof of authorship (and thus of a very serious crime.)  Having such a trail pointing at them may prevent them from trying to use it at all, especially since the domain-registration algorithm has been cracked and domain registrars are monitoring attempted registrations for anyone trying to register a name that Conficker will eventually look for.

Overall, the response to the Conficker worm is another success story for the security industry.  There’s a paper about containing the worm over at the Honeynet Project that makes for good reading.  This said, it also points to the problem with the “detect-and-patch” model of computer security — this could have been much worse.  If the original Conficker variants had been as sophisticated as the C variant, and the worm activated on February 1st instead of April 1st, we would have had a very different story.

attacks, industry

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.