The vast army of zombied machines—thanks to the cybercriminals behind the Conficker worm—have gone silent over the last several months. But one security expert, who has been studying the worm since it began propagating, finds this inactivity troubling and believes its authors are planning the next chapter of Conficker.
Mikko Hyppönen of F-Secure Corp. plans to present his research at the Black Hat Briefings in Las Vegas later this month. Hyppönen, who is also a member of the Conficker Working Group, is intrigued by the worm's sophistication, which allowed it to spread so quickly. Still, the researcher believes the worm's authors are relatively new to the scene, since Conficker spread too quickly making it a high profile nemesis of security researchers.
"I think the biggest mystery in the whole Conficker operation is the motive," Hyppönen said. "How come a group who is capable of pulling something of this magnitude off doesn't seem to be interested in actually using this massive botnet they created?"
Conficker flaw yields new tool for detection: A flaw in the way Conficker infects machines has given security experts the ability to design a new tool to remotely detect infections over the network.
Conficker leaves security industry looking clueless: The true Conficker story may well turn into an introspective of the security industry. It should start with hard questions of security vendors and service providers.
The worm used algorithms never seen before by researchers. It was protected with the MD6 cryptographic hash algorithm. The method slowed researchers trying to block the worm and allowed it to quickly infect machines. The domain generation system, used by the worm to check for orders and its USB spreading algorithm also helped the malicious code to infect more computers. When Conficker peaked in January the worm's authors had over 10 million machines at their disposal, yet they did nothing with those machines.
There were subtle signs in May that those behind the worm attempted to rent out portions of the botnet. Researchers saw some Conficker machines download a variant of the Waledec worm, used in massive spam campaigns. Then some Conficker infected machines were used for a short period of time to spread rouge antivirus. It signaled the start of the next chapter of Conficker -- attempts by the worm's authors to monetize their vast botnet -- but as sudden as it started, it stopped, Hyppönen said.
"Traditional botnet authors trim down their botnet sizes on purpose. They code it to avoid infecting millions of computers in a couple of days, because that gets you on the headlines of the magazines," he said. "Conficker made the headlines because it infected 10 million computers, which to me would say that they were beginners and they were just trying to learn how to do this right."
Researchers continue to speculate on the motives behind setting up the Conficker botnet. Hypponen said it could easily be used as a powerful distributed denial-of-service (DDoS) weapon to take down websites and create economic havoc. The authors could also break apart pieces of the botnet by geography, selling the zombied machines off to the highest bidder or renting them out as they signaled they could do back in May.
The Conficker authors have two ways to deliver orders. They could turn to a built-in peer-to-peer control channel to communicate commands on some infected computers. The machines themselves distribute commands they receive from other machines. Any single node within the network could be used to control the computer network. However, this method poses a problem, because it doesn't work very well across domains or across strong firewall filtering.
Another way to deliver orders is through Conficker's domain registration system, which seeks out 50,000 semi-random domain names each day in hundreds of countries. If the domains exist, Conficker is designed to check to see if they have a Web server and then go to a certain folder or directory on that server to download an executable file with a certain name. Conficker double checks the signature on the file and if it is valid, the worm is designed to execute the commands.
"Anybody who knows how the algorithm works can figure out what domain names Conficker will be querying for, but only the original owners will be able to post an executable file with the right signature," Hyppönen said. "This is the way they can gain access and do anything they wanted on more than a million computers on any day."
So far researchers haven't been able to track down those behind Conficker. Hyppönen calls the Conficker Working Group the best example of industry cooperation he's seen in his 20-year career in the security industry. The group includes a mixture of security researchers, registrars, ISPs and law enforcement. While it has had great success in keeping at bay the registration of the domains that Conficker attackers may use to gain access to the botnet, the group has failed in finding out who is behind it, Hyppönen said.
"The group never put too much effort into tracking them down because it isn't something a group like this can do on their own," he said. "We're not the police. We can't get information about who owns a certain IP address or who was using a certain DHCP pool at the time and track identities like real law enforcement are doing to track and trace criminals."
Internationally, police forces aren't putting much effort into tracking cybercriminals at all, Hyppönen said. Law enforcement has been tailored from the beginning to track large international criminals who conduct smuggling and money laundering operations.