Wednesday, March 24, 2010

Conficker may be quiet now but it's still a threat

Conficker may be quiet now but it's still a threat

Readers react to post about how bots are cloud providers to criminals

By Robert Mullins

My recent post on how botnets are operating like cloud providers provoked a lively discussion in the comments section about Conficker but mostly about world geography.

I got on the phone this morning with Rodney Joffe, senior vice president and senior technologist at Neustar, whose presentation at the Cloud Connect conference last week in Silicon Valley was the basis for my post "The biggest cloud on the planet is owned by ... the crooks."

Joffe said the Conficker botnet has spread to 230 "countries" in the world, which alert readers pointed out is more countries than there are on planet Earth. The most reliable number I could come up with was 195 countries from

On the phone, Joffe explained he took "poetic license" in using the word countries when, he actually should have said top level domains (TLD). There are a total 260 top level domains on the Internet today, 246 of which are "country codes" such as USA, UK, CN for China and the like, while others are generic domains such as .biz, .org, .net and etc. Why are there still more country codes than countries? Well, EU is considered a country code, even though the European Union isn't a country but a group of countries. Hong Kong is part of China but it has its own HK TLD.

Of the total 260 TLDs, Joffe said 230 are infected by Conficker.

The other issue with commentors was the current status of Conficker. I referred to Conficker in the present tense as if it were still active, a point with which some disagreed.

Conficker was fingered just last month as the culprit behind a computer outage at a police department in the United Kingdom.

But besides that Conficker has been largely dormant, but could become active again, said Joffe.

The previous record of Conficker activity dates back to April 2009 when Conficker was "rented," Joffe said, for two weeks to the perpetrators of the Waledac worm to spread spam and a fake pop-up ad for computer virus protection. This speaks to the point he was making in his presentation that a botnet is like a cloud in that other users can rent access to that network of compromised computers.

You'll recall that the Waledac botnet was taken out of action by order of a U.S. District Court judge last month at the request of Microsoft and other technology companies. But the April 2009 event was only the last use of the Conficker botnet "that we know of," Joffe said. And there could have been other activity since that could not be traced to Conficker as that UK attack was. And new computers are still being infected by Conficker "as recently as yesterday."

So while Conficker is believed to be less active today than it used to be, it is still a threat as are other botnets, including ZeuS, Mariposa, Bobax and others. Here's a list of America's 10 most wanted botnets from July 2009, including Conficker at No. 10.

No comments: