Mikko Hypponen chief research officer at security firm, F-Secure

Photo: Sean Michael Kerner

The dreaded Conficker botnet may have been an April Fools Day bust, but months later it is still an active threat according to security researchers. At the Black Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, told attendees why Conficker represents an unprecedented threat.

Hypponen also revealed some details on the current number of active Conficker nodes and where the hotspots are. The final analysis is that Conficker is still something that IT users and administrators need to be concerned about, while the true motives and culprits behind the botnet remain at large.

Hypponen showed the audience some data to prove his point. As off July 24th, his data (from the Conficker Working Group) showed that there were over 5.5 million active unique IPs that had Conficker, with most of the infections in Brazil, China and Vietnam.

"The gang behind Conficker are no fools," Hypponen said. "They know their stuff, they know coding, development cycles, crypto and they are clever and they are watching us, their enemy in the security industry."

Hypponen said that there were a number of techniques, first seen in Conficker, that make it a unique threat. Among them is that on infection it shut down the wireshark open source packet sniffer, which is a tool that many security researcher use to monitor traffic.

As well the virus that carries Conficker had its own cryptographic signature, using the most advanced MD6 hash.

"Conficker was using MD6," Hypponen said. "The first time I saw it (MD6) anywhere and this was a goddamned virus."

Tricking users

Conficker was also unique in how it spreads via USB sticks. Hypponen detailed how Conficker's code triggered an autorun on Windows, even when a user might have had autorun disabled for USB media. What Conficker does is the binary code actually tricks the user by getting Windows to show the icon for, open folder  to actually run and execute the code. Hypponen noted that particular technique debuted with Conficker.

In terms of how he knew the Conficker gang was watching the security industry's response, Hypponen gave one solid example. The initial Conficker virus was set to not deploy on the IP space of a number of security vendors, including F-Secure. Additionally, the virus, once it infects users, blocks a victim's machine for accessing security Web sites, including F-secure.com. In response, F-secure published an FAQ telling users to go to a different Web site  fsecure.com. Hypponen noted that worked a few days and then the new address got blocked by Conficker.

Who is behind Conficker and what do they want? That's one question that Hypponen wanted to talk about but wasn't permitted to do so.

"The whole point of my talk was to drill down into what we know about the Conficker gang and what we know about their motives," Hypponen said. "But I got called last week and was asked that because it was an ongoing investigation, that I should end my talk here. Thank you very much, I will not be taking any questions."

While Hypponen might not have been willing to talk about the authors of Conficker, Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, was able to shed a little more light.

"The botnet is currently growing, but the authors do not seem to be doing much of anything with it," Schouwenberg told InternetNews.com.

In April, Schouwenberg noted that the botnet was leased out to the Waledac spam bot and it also installed fake anti-virus software. Beyond that, Schouwenberg said nothing much has happened.

"The Conficker botnet is autonomous, that is very strange in itself that they made Conficker replicate by itself," Schouwenberg said. "Now it seems like the authors have abandoned the project but because it is autonomous it can do whatever it wants and it keeps on trying to find new hosts to infect."

The multi-vendor Conficker Working Group is currently making sure that no one can take over the botnet from a command and control point of view, according to Schouwenberg.

"The latest variant have a peer-to-peer functionality and in that way commands can be passed from one machine to the next," Schouwenberg said. "But for the moment nothing is happening except that the botnet continues to grow."