Conficker worm still being tracked, but evidence collection slows

Since the botnet operators abandoned Conficker, it makes it harder to trace them

Jeremy Kirk (IDG News Service)
11 October, 2012 04:45
Comments

The notorious malware known as the Conficker worm still infects computers, a sort of wild horse with no rider, but investigators appear no closer to finding its creator.

Also known as "Downandup," Conficker was discovered in November 2008, exploiting a vulnerability in Windows XP that allowed remote file execution when file-sharing was enabled. Microsoft patched it a month later.

A souped-up version of Conficker released that year later targeted the autorun feature in XP and Vista. At its peak, Conficker infected upwards of 7 million computers. Microsoft still ranks Conficker as the second-most prevalent malware family on domain-joined computers, according to figures released earlier this year in its Security Intelligence Report Vol. 13.

Security researchers with the Conficker Working Group (CWG) along with vendors including Microsoft successfully cut off the Conficker's operators from the botnet. The group is still working to try to find Conficker's master, said Jose Nazario, a malware researcher with security vendor Invincea, on the sidelines of the Hack in the Box conference.

The problem is that botnet operators have stayed away from Conficker and not tried to reclaim it, a welcome development but one that leaves researchers with a lack of fresh electronic leads.

"Well, we sort of won in that regard," Nazario said. "They had to walk away from it. On the other hand, if they're not interacting with it, there's no more evidence coming in."

In June 2011, Ukraine's security service, SBU, made several arrests related to a cybercrime ring that defrauded the banking industry of more than US$72 million. The SBU indicated those arrested allegedly said they had used Conficker to spread fake antivirus software, another scam the group was accused of.

But the results of Ukraine's investigation are unclear. Conficker used a private key to sign encrypted updates, and if police found that key on a person's computer, it would represent the needed crucial evidence, Nazario said. But so far it has not come to light.

The CWG is still interacting with sinkhole operators, top-level domain operators and ICANN, Nazario said. The malware itself is on autopilot, taking advantage of vulnerable computers and has proved to be a long-term nuisance.

"It feels like a stalemate," Nazario said. "It feels like we're kind of in a holding pattern but there's still effort that goes into it."

Send news tips and comments to jeremy_kirk@idg.com

"It is much easier to become a manager in IT than it ..."

Solving the skills conundrum – part 1
"1. The HTC has a better low light camera and the lens ..."

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
"as a teacher - you can't win - in a constantly changing ..."

High school students still see ICT as ‘sitting at a computer all day’: survey
"yep - big brother is watching you - now go out and ..."

Does encryption really shield you from government's prying eyes?
"New manager arrives, fires most of the apparently-underskilled staff rather than training ..."

Solving the skills conundrum – part 1

Latest Blog Posts

Whitepapers

McAfee Complete Endpoint Protection - Business
McAfee makes endpoint security painless for users and easy and efficient for IT. Built for strength, speed, and simplicity, McAfee Complete Endpoint Protection - Business suite helps growing organisations get Internet security right, from turnkey installation to rapid response. Find out more.

Learn more »
Agentless Security for Virtual Environments
Virtualised datacentres, desktops, and cloud computing should be secured by the same strong protection technologies as physical machines. However, traditional agent-based solutions that are not architected for virtualisation can result in a number of significant operational security issues. Find out more about the first agentless security platform solution.

Learn more »
New Demands for Real-time Threat Management
Many organisations are evaluating a new security model based upon IT risk management best practices. This is a good idea, but not enough for today’s dynamic and malevolent threat landscape. To keep up with IT changes and external threats, large organisations need to embrace two new security practices: real-time risk management for day-to-day security adjustments and real-time threat management to detect and remediate sophisticated, stealthy, and damaging security breaches (i.e., advanced persistent threats, or APTs). Learn more.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Endpoint Protection Overview

With the exponential growth and sophistication of malware today, the security industry can no longer afford to ‘bury its head in the sand’. The bottom line is that traditional endpoint ...

Recent comments

"It is much easier to become a manager in IT than it ..."
Solving the skills conundrum – part 1
"1. The HTC has a better low light camera and the lens ..."
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
"as a teacher - you can't win - in a constantly changing ..."
High school students still see ICT as ‘sitting at a computer all day’: survey
"yep - big brother is watching you - now go out and ..."
Does encryption really shield you from government's prying eyes?
"New manager arrives, fires most of the apparently-underskilled staff rather than training ..."
Solving the skills conundrum – part 1

Follow CIO

Market Place

SolveXia’s key tips for CIOs seeking improved productivity through automation. Click here

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

Security 2013 Exhibition: 160 brands, new innovations, expert speakers & more, register now.

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Conficker worm still being tracked, but evidence collection slows

Recommended

Does encryption really shield you from government's prying ...

Australian National University adds augmented reality to mobile ...

CIO roundtable: Staying in control in the cloud

Debating the digital economy

Why the fuss about big data?

Homeless multinationals and taxing decisions

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

Australia suspected to have PRISM data: Ludlam

PMBOK vs PRINCE2 vs Agile project management

Solving the skills conundrum – part 1

Australia Post’s mail business to lose $200 million this year

Online shopping reaches mainstream status

Australia suspected to have PRISM data: Ludlam

Why Agile Isn't Working: Bringing Common Sense to Agile Principles

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Endpoint Protection Overview

Enterprise Mobility Management: Embracing BYOD Through Secure App and Data Delivery

Legal Compliance in Electronic Record Keeping

The IT Priorities for 2013

Forrester: The Three Stages of Cloud Economics