$250,000 reward for Conficker controllers’ scalps

February 16th, 2009

worms_cropThat $250,000 bounty Microsoft has put up for the scalps of the controllers of the globe-spanning Conficker worm seems about right. Conficker, aka Downadup,  has now infected the German military, as well as networks of the UK and French Air Forces and England’s Sheffield Teaching Hospitals. After several weeks of informal collaborations, the world’s top virus hunters have formed an official posse to hunt down these very slick bad guys.

“By sharing resources and expertise, this collaborative cross-industry effort is not only protecting infected systems from further damage, but also providing security to the Internet community on the whole,” says Vincent Weafer, VP Symantec Security Response

SRI International’s Phillip Porras, Hassen Saidi, and Vinod Yegneswaran have authored this detailed breakdown of how Conficker spreads so effectively,  why it is so proficient  at preventing  infected PCs from being cleaned up, and how the controllers have been able to maintain control access.

At least 1 million PCs, perhaps as many as 10 million have been infected. I still can’t get any consensus from security researchers, who differ on how to extrapolate some of the numbers intercepted from a counting mechanism that’s part of the worm. Each day, each Conficker-infected PC continues to try to connect sequentially with a list of 250 domains for further instructions. Each day this list of 250 domains – each one a potential command and control server – refreshes. As laudable as the good-guys’ efforts are to pre-register domains, there remains no way to block the controllers’ access completely.

Bottom line: the controllers can, at any time, deploy parts, or all, of a massive botnet, 1 million to 12 million strong, to do their bidding.

John Markhoff, of the New York Times, calls Conficker “a ticking time bomb.” He wrote in this Feb . 14 story that Conficker “now has the power to lash together those infected computers into a vast supercomputer called a botnet that can be controlled clandestinely by its creators. What comes next remains a puzzle. Conficker could be used as the world’s most powerful spam engine, perhaps to distribute software programs to trick computer users into purchasing fake antivirus protection. Or much worse. It might also be used to shut off entire sections of the Internet. But whatever happens, Conficker has demonstrated that the Internet remains highly vulnerable to a concerted attack.”

I think Josu Franco, Panda Security’s director of business development, has it pegged right. The controllers will keep stockpiling infected PCs until the heat dies down. They can afford to be patient. Their focus is on making sure they can tap into this vast store of bots, selling on-demand botnet processing power as a hosted cloud computing service. “This is basically free infrastructure for them,” says Franco.