NEWS
...clean up and the command-and-control [aspect] is getting more sophisticated and using sophisticated encryption. Once it is in place it is harder and harder to dismantle and remove."
Carole Fennelly, director of content and documentation at Tenable Network Security and a former security consultant, said: "I find it a bit discouraging that after so many years of these dire warnings of a virus/worm that will 'bring the Internet to its knees' that executive management still doesn't get the fact they shouldn't be depending on media stories to shape their security program."
Conficker alive and well
Meanwhile, Conficker remains a menace. The worm spreads through a hole in Windows that Microsoft patched in October and also spreads via removable storage devices and weakly protected network shares.
So, millions of infected computers didn't launch denial-of-service attacks on websites or download password-stealing software on Wednesday. But they could have, and they still can at any point in the future. In fact, the risk is greater now because Conficker-infected machines can distribute updates or instructions via encrypted peer-to-peer technology as opposed to communicating to command-and-control servers at domains that registrars have been pro-actively blocking.
"It's not like it's gone," said IOActive's Kaminsky, who worked with The Honeynet Project on a way to detect infected computers using a flaw in Conficker's code. "We're looking at a massive, amorphous network with a command and control that we don't have the means to block anymore. Things got worse on April 1 for the remaining infected nodes."
And now there is no signal for researchers to watch for with Conficker. This actually makes sense for a botnet because their creators usually tend to operate under the radar so they are not thwarted.
"We believe they decided to do nothing to tip their hand," said Paul Ferguson, an advanced threats researcher at Trend Micro. "But the functionality can be updated at any given point in time. All it takes is a button click on a mouse from the people pulling the strings."
The 1 April could have been designed to distract people from other activity. For instance, researchers saw updates to existing botnets that also use auto-domain generation, including Mebroot, which is also known as Torpig and Sinowal, according to Ferguson. That Trojan infects Windows computers in "drive-by downloads" as they Web surf and steals bank log-in data and other sensitive data, among other things.
"I'm not saying these are connected, but it sure is funny in a coincidental way," Ferguson said.
So, what's the moral of the Conficker story?
"The moral is there are big worms out there and criminals that do a bunch of things," said BT's Schneier. "One of them happens to have a name and a date."
