April 1, 2009 (Computerworld) The malware makers who crafted Conficker must be extremely disappointed, a security expert said today, and not because the Internet didn't come crashing down as some of the wildest speculation had predicted.
"All of their work has gone for naught," said Alfred Huger, vice president of development for Symantec Corp.'s security response team, referring to the hackers who created the Conficker worm.
Ironically, it was the extraordinary success of Conficker that made the hackers' work essentially a wasted effort, Huger said. "Most of the work done on Conficker was because of all the attention it got, absolutely," he said, pointing to the drumbeat of coverage since the worm first surfaced in November 2008 and the frenzy that led up to today, when its newest variant started switching to a new communications scheme.
"This is the biggest worm, in terms of press coverage received, since we experienced Code Red," Huger noted. Code Red, which struck Microsoft Corp.'s server software in 2001, slowed networks to a crawl. "And that's great. I think the threat was genuine, and without all the attention, it could have been a big problem."
The anti-Conficker efforts prompted by that attention included the so-called "Conficker Cabal," a consortium of researchers and companies that have tried to disrupt the worm's "phone home" ability. Other researchers, meanwhile, exploited a Conficker flaw to create a scanner that quickly detected infected PCs.
The beginning of the bad news to Conficker's makers was in January, Huger said, when the worm's profile soared as it infected millions of Windows PCs. "The distribution is what got everyone's attention, because it got so big in such a short time," Huger said. "And the fact that it was exceptionally well written, that was in intriguing to [security] researchers."
Vincent Weafer, another Symantec security response executive, put it succinctly earlier this week. "In reality, the author or authors probably didn't intend for this malware to get as much attention as it has," he said in an e-mail. "Most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful." "I think this just fades into the background noise of bot networks," Huger said today. "It's a large botnet, but not the largest."
How large is still unknown. Although estimates of the size of the Conficker-infected pool have ranged from 1 million to 12 million, it has been difficult to pin down the number of computers infected with Conficker.c, the newest variant and the one that sparked the massive coverage leading up to today.