Conficker Silent, But Future Attack Likely, Experts Say

The Conficker worm seems to have conducted its April 1 updates in relative peace, but security experts say that its current silence might end with a malicious attack down the road.

Up until now, however, security experts said that no one expected a large-scale attack April 1.

"From the start, we knew there wasn't going to be a big implosion [April 1]," said Rami Habal, director of product marketing for security company Proofpoint. "It's not a doomsday scenario."

For the renowned Conficker worm, April 1 marked the day that the botnet was scheduled to update with a new domain generation algorithm that gave it unimpeded access to 500 of the newly generated 50,000 domains it could contact. And some experts contend that the botnet was opening up a path for new instructions.

Wednesday, April 1, however, came and went without an attack, or so much as a peep from the infamous worm. That's not to say that Conficker will remain quiet, experts say.

So far, the sophisticated Internet worm has infected millions of computers around the world -- as many as 10 million to 12 million, according to some estimates -- which ultimately were incorporated in a giant global botnet. Its creators developed the elusive worm in October 2008, exploiting a Microsoft vulnerability in the way the Server service handles RPC requests.

Since then, Conficker versions A and B spread rapidly, infecting millions of computers with techniques that ranged from brute-force password guessing and transmission to USB sticks and peer-to-peer sites.

While the latest version of the worm, Conficker C, didn't have the same replication capabilities as its predecessors, it ensured its own survival with self-preservation traits that included blocking user access to security vendor sites and evading many antivirus products.

And Habal said that with so many infected computers potentially at their fingertips, there's a strong chance Conficker's creators will want to use them to their advantage financially.

"At the end of the day, people are driven by economics. The entire spam ecosystem works because people are making money," Habal said, adding that it was likely the attackers were just waiting for the publicity surrounding Conficker to die before launching a stealthy attack under the radar. "There's no reason that things should have happened on April 1," he said.

One possible route for the worm's creators is using the resulting botnet as a vehicle to send out copious spam. Another scenario could be the launch of a massive denial-of-service attack, which could be lucrative for the attackers if executed on large-scale enterprise companies.

"How many bots does it take to take down something like an Amazon.com? It's far less than a million, we know that," said Keith Crosley, Proofpoint director of market development.

If the botnet does launch an attack, Crosley said, it likely wouldn't be significantly different than the types of attacks that have already been used in malware attacks.

"There are many other viruses that use similar techniques that basically have the same effect," Crosley said. "(Conficker is) no more harmful than any other virus. It's just the numbers [of victims] are higher here."

For now, however, the attackers seem to simply be waiting in silence while earlier versions of the worm spread and incorporate more victims into its folds.

"The capabilities in this Conficker virus are extremely sophisticated," Habal said. "And the one thing that is in the back of people's minds is that if (attackers) wanted to do something, they could."

Tweet

   

More Security