All quiet on Conficker front, but boomtime for security firms

 

Gallery

By Barry Collins and Reuters

Posted on 2 Apr 2009 at 07:47

The Conficker worm may have failed to cause widespread havoc on Wednesday, but infected users weren't the only winners on 1 April. The fears of an attack may have been a windfall for antivirus companies, according to analysts.

Conficker, also known as Downadup or Kido, turns infected PCs into slaves that respond to commands sent from a remote server that effectively controls an army of computers.

Companies such as Symantec, McAfee and Trend Micro spend millions of dollars a year on promotional campaigns that warn about threats to personal computers.

"A scare like this could make consumers think twice before deciding to let their subscriptions lapse," claims FBR Capital Markets analyst Daniel Ives.

The industry had been under pressure because the recession caused some customers to hold off buying new software and others to delay renewing subscriptions.

Researchers feared the network created by Conficker might be deployed on Wednesday, because it was programmed to increase communication attempts with its master server from 1 April.

The security industry formed a task force to fight the worm, bringing widespread attention that experts say probably scared off the criminals who command the botnet.

That group thwarted the worm partially by using the internet's traffic control system to block access to servers that control the slave computers. But in cases where the slaves did connect, they didn't receive new marching orders.

Researchers warn the botnet's commanders are probably waiting until they are under less scrutiny before they mobilise the network of infected computers.

"I never thought it would happen 1 April," says Roger Thompson, chief research officer at AVG. "It might be tomorrow. It might be next week. It might be next month."

Botnet army

The Conficker botnet is one of many such networks controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America.

While Conficker is still inactive, analysts say millions of machines in other networks are regularly ordered to perform tasks for their masters.

The botnet's owners often sell the slave computers or rent them out, offering services such as credit-card and banking information theft. They can be customised to perform other tasks, such as knocking down websites and bringing down corporate networks. "The worst thing is that no one really knows what these things can do. These things can be programmed to do anything," says Mel Morris, CEO of anti-virus company Prevx.

Analysts say Conficker garnered unprecedented attention in recent days because it's unusually large and because it was coded to mutate on April Fool's Day.

While estimates vary greatly, researchers say tens of millions of machines are compromised without the knowledge of their owners.

Alfred Hunger, a senior researcher with Symantec, thinks Conficker has the stamina to survive several years. He believes the motives of the army's commanders are the same as those of the other botnets in cyberspace. "I think it will be a fairly vanilla botnet," he adds.