O Botnet, Where Art Thou?

Thursday, December 17, 2009

Bill Wildprett, CISSP, CISA

0f48ebb4a6ca02dbf5141affdbfa6898

O Botnet, Where Art Thou? Yes, like an Odyssey worthy of Homer or a George Clooney movie, the saga of the Conficker botnet continues.  The Most Excellent folks at Shadowserver have posted an update today.

While Conficker fell off the media radar, Shadowserver has been following it:

  • “As recently as late October 2009, the number of systems infected with the A+B+C variants topped seven million.”
  • “Currently, there are over 12,000 ASN’s that have at least one Conficker IP in their network space.”
  • The Conficker stats and charts page can be found here: http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker

Like the Bogey Man and the Monster Under the Bed, we Know it’s There, but what is It Doing?  One thing the data shows is that overall, its presence is dropping, from a high of 6.5 Million to 7 Million, and still declining, thanks largely to serious eradication efforts, including ongoing domain registration by the Conficker Working Group.

A very interesting piece on SearchSecurity.com brings us up-to-date on the hunt for the Conficker authors.  The article quotes Mikko Hyppönen from F-Secure speaking about how the worm’s authors used the MD6 cryptographic hash to sign the worm, including updating the hash after an MD6 weakness was found.  Also, the worm was able to work-around disabled Autoplay initiated on Windows systems.

The counter-attacks by security researchers will influence botnet developers as they morph their capabilities and attack surfaces in response.  While Conficker seems to be contained and has become the inverse of Top of Mind, you should still Pay Attention, just because…

Peace & Love Y’all!

Cross-linked from Suspicious Minds

Possibly Related Articles:
7248
Viruses & Malware
virus malware conficker
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.