04:44 PM
Connect Directly

Conficker Botnet 'Dead In the Water,' Researcher Says

But there are still 6.5 million machines infected, and worm continues to spread

After over a year of waiting for the sleeping giant Conficker botnet to come to life, some security researchers are now starting to think it may just be dead rather than dormant: they say the original creators of the Conficker botnet appear to have abandoned ship, leaving the worm to merely spread on its own via unpatched Windows machines.

"This botnet is dead in the water," says Vincent Weafer, vice president of Symantec Security Response. "At this point, we think the organization [behind it] has effectively abandoned it" since last May, he says.

But that doesn't mean Conficker still doesn't pose a threat: another group could take control of the 6.5 million machines worldwide still infected with the Conficker worm, Weafer says. "It is possible someone could come along and try to take it over. We do see cross-infection all the time."

Conficker's original operators couldn't activate the high-profile botnet without attracting too much attention, experts say, which may be why it's been dormant for so long. The Conficker Working Group, formed in February of 2009 and led by Microsoft, has been successful in neutralizing the botnet, closely tracking its movements, and in leading the cleanup efforts.

Gunter Ollmann, vice president of research at Damballa, says Conficker appears to be dead from a criminal operations perspective: "We still see frequent outbreaks within enterprise networks, typically through infected laptop users or infected USB memory keys, but are not seeing any criminal C&C activity," Ollmann says.

Meanwhile, Andre' DiMino, director of the Shadowserver Foundation, says he doesn't think Conficker's operators have completely abandoned the botnet, however. "With a botnet that large and geographically distributed, it is a very good asset to maintain. While it remains dormant, the potential for its use, rental, or reconnaissance remains," DiMino says.

With the crypto algorithms built into Conficker, it would be unlikely for another group to hijack the botnet, he notes. "However, it's important to keep in mind that the Conficker drones are vulnerable machines that do not receive AV or OS updates. That's why it's still a high priority that Conficker drone remediation continues and the public remains aware of the threat," DiMino says.

Both DiMino and Weafer agree that Conficker's creators could merely start all over again and build another botnet. "I wouldn't put it past the current Conficker herders to look to build another botnet and adopt some of their own lessons learned," DiMino says.

That strategy would be much easier for them than activating Conficker, Symantec's Weafer says.

It was exactly one year ago today -- April Fool's Day -- that the security industry waited for Conficker to pull the trigger on its payload. But nothing happened, nor has much changed in the past year except for the steady stream of unpatched machines getting infected by the worm. Thus, fears that the botnet, which at one time ballooned to some 8 million machines, would be used for massive distributed denial-of-service (DDoS) attacks or other nefarious activities, have for the most part subsided.

Other researchers say Conficker is far from dead today: "Conficker is alive and well and still very active in attempting to spread. It is more dormant in the fact that there are no new payloads getting pushed down to Conficker because of the actions taken by various folks in the Internet and research communities," says Marc Maiffret, chief security architect at FireEye. "The ability to control Conficker still remains, and it is something we continue to keep a watchful eye on, should it start to awaken again. I would definitely not call it down for the count."

Maiffret says Conficker's authors can still control the botnet: "I don't think that has gone away. They just have their foot off the gas," he says.

But Symantec's Weafer says Conficker's high profile and size make it "too toxic" for its operators to fully activate it. "There are too many people watching it," he says, and if Conficker's creators were to power it up, it could blow their cover, he says.

And remaining off the radar is something the Conficker creators have been able to avoid thus far. Microsoft's $250,000 bounty for information that leads to the arrest and conviction of the people responsible for Conficker has yet to be awarded. "The investigation is currently ongoing, seeking those responsible for illegally launching the Conficker malicious code on the Internet," said Jerry Bryant, group manager, for response communications at Microsoft, in a statement. Bryant noted that the CWG, security researchers, ICANN, and domain operators have teamed up to disable a "significant number" of domains used by Conficker, therefore disrupting the worm and preventing some attacks.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-25
GitLab CE & EE 11.2 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 have Persistent XSS.
PUBLISHED: 2019-04-25
GitLab Community and Enterprise Edition 8.9 and later and before 11.5.0-rc12, 11.4.6, and 11.3.10 has Incorrect Access Control.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Account Access / Password Reset Link in Enterprise before 2019-04-23 allows Unauthorized Attackers to READ/WRITE Customer or Administrator data via a persistent HTTP GET Request Hash Link Replay, as demonstrated by a login-link from the browser history.
PUBLISHED: 2019-04-25
Incorrect Access Control in the Administrative Management Interface in Enterprise before 2019-04-23 allows Authenticated Low-Priv Users to Elevate Privileges to Full Admin Rights via a crafted HTTP PUT Request, as demonstrated by modified JSON data to a /v2/rest/ URI.
PUBLISHED: 2019-04-25
Dell EMC Open Manage System Administrator (OMSA) versions prior to 9.3.0 contain a Directory Traversal Vulnerability. A remote authenticated malicious user with admin privileges could potentially exploit this vulnerability to gain unauthorized access to the file system by exploiting insufficient san...