Conficker Botnet 'Dead In the Water,' Researcher Says

But there are still 6.5 million machines infected, and worm continues to spread

Dark Reading logo in a gray background | Dark Reading

After over a year of waiting for the sleeping giant Conficker botnet to come to life, some security researchers are now starting to think it may just be dead rather than dormant: they say the original creators of the Conficker botnet appear to have abandoned ship, leaving the worm to merely spread on its own via unpatched Windows machines.

"This botnet is dead in the water," says Vincent Weafer, vice president of Symantec Security Response. "At this point, we think the organization [behind it] has effectively abandoned it" since last May, he says.

But that doesn't mean Conficker still doesn't pose a threat: another group could take control of the 6.5 million machines worldwide still infected with the Conficker worm, Weafer says. "It is possible someone could come along and try to take it over. We do see cross-infection all the time."

Conficker's original operators couldn't activate the high-profile botnet without attracting too much attention, experts say, which may be why it's been dormant for so long. The Conficker Working Group, formed in February of 2009 and led by Microsoft, has been successful in neutralizing the botnet, closely tracking its movements, and in leading the cleanup efforts.

Gunter Ollmann, vice president of research at Damballa, says Conficker appears to be dead from a criminal operations perspective: "We still see frequent outbreaks within enterprise networks, typically through infected laptop users or infected USB memory keys, but are not seeing any criminal C&C activity," Ollmann says.

Meanwhile, Andre' DiMino, director of the Shadowserver Foundation, says he doesn't think Conficker's operators have completely abandoned the botnet, however. "With a botnet that large and geographically distributed, it is a very good asset to maintain. While it remains dormant, the potential for its use, rental, or reconnaissance remains," DiMino says.

With the crypto algorithms built into Conficker, it would be unlikely for another group to hijack the botnet, he notes. "However, it's important to keep in mind that the Conficker drones are vulnerable machines that do not receive AV or OS updates. That's why it's still a high priority that Conficker drone remediation continues and the public remains aware of the threat," DiMino says.

Both DiMino and Weafer agree that Conficker's creators could merely start all over again and build another botnet. "I wouldn't put it past the current Conficker herders to look to build another botnet and adopt some of their own lessons learned," DiMino says.

That strategy would be much easier for them than activating Conficker, Symantec's Weafer says.

It was exactly one year ago today -- April Fool's Day -- that the security industry waited for Conficker to pull the trigger on its payload. But nothing happened, nor has much changed in the past year except for the steady stream of unpatched machines getting infected by the worm. Thus, fears that the botnet, which at one time ballooned to some 8 million machines, would be used for massive distributed denial-of-service (DDoS) attacks or other nefarious activities, have for the most part subsided.

Other researchers say Conficker is far from dead today: "Conficker is alive and well and still very active in attempting to spread. It is more dormant in the fact that there are no new payloads getting pushed down to Conficker because of the actions taken by various folks in the Internet and research communities," says Marc Maiffret, chief security architect at FireEye. "The ability to control Conficker still remains, and it is something we continue to keep a watchful eye on, should it start to awaken again. I would definitely not call it down for the count."

Maiffret says Conficker's authors can still control the botnet: "I don't think that has gone away. They just have their foot off the gas," he says.

But Symantec's Weafer says Conficker's high profile and size make it "too toxic" for its operators to fully activate it. "There are too many people watching it," he says, and if Conficker's creators were to power it up, it could blow their cover, he says.

And remaining off the radar is something the Conficker creators have been able to avoid thus far. Microsoft's $250,000 bounty for information that leads to the arrest and conviction of the people responsible for Conficker has yet to be awarded. "The investigation is currently ongoing, seeking those responsible for illegally launching the Conficker malicious code on the Internet," said Jerry Bryant, group manager, for response communications at Microsoft, in a statement. Bryant noted that the CWG, security researchers, ICANN, and domain operators have teamed up to disable a "significant number" of domains used by Conficker, therefore disrupting the worm and preventing some attacks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights