Conficker’s Celebrity Hid The Real Threat

Just as human celebrities distract us from the real stories, the Conficker panic took our eyes from the numerous hard-working botnets that are doing much more damage, says Matt Hines

So, whatever happened to Conficker?

Well, it’s still sitting there. Some believe it’s rotting on 15 million endpoints or more, while others reported only 200,000 (due to misunderstanding Kaspersky research)

It’s there. Doing something, or things. Occasionally being used to generate spam-driven malware campaigns, occasionally updating itself.

Some people think that Conficker was too good for its own good, and spread so quickly that it lessened its eventual punch by raising the hackles of everyone from US-CERT to TV show “60 Minutes.”

Others think that it’s pretty much done what it was designed to do, which was take advantage of a ton of machines that never got updated with an available Windows security patch from Microsoft.

But if we are in the end to judge it by its behavior, basically, it’s just your average botnet being used for fairly run-of-the-mill badware and spam distribution. If anything, it’s been acting a little sluggish, compared to other (known) botnets of its class.

And while everyone’s been scratching their collective chins and wondering what Conficker is built for, other more heavily tasked botnets are cranking away with reckless abandon.

According to a report issued by botnet researchers at Web gateway vendor Marshal8e6, some of the hardest working botnets, including the Rustock and Xarvester networks, are creating individual zombie computers that can send up to 600,000 spam messages in a 24 hour period.

“Over the past few years, botnets have revolutionised the spam industry and pushed spam volumes to epidemic proportions despite the best efforts of law enforcement and the computer security industry,” Phil Hay, a senior threat analyst at Marshal8e6’s Tracelabs, said in a report summary.

While Conficker is putzing around trying to find itself, the Xarvester, Mega-D, Gheg, Grum, Donbot, Pushdo, Bobax, Rustock and Waledac botnets are cranking out more than 70 percent of the world’s total spam, the report contends.

And while infected Web sites have become the primary attack model for malware distributors in recent years, the sites typically rely heavily on e-mail driven social engineering campaigns to lure visitors into clicking over.

“The spamming botnets are constantly in flux. Botnets morph, become obsolete, replaced, taken down, and upgraded. One thing is clear, a mere handful of botnets are responsible for the bulk of all spam sent,” the researchers said.

Over the last three months, the Pushdo (26.1) and Rustock (20.6) botnets alone have accounted for just under 50 percent of all the world’s spam, outranking its peers by a significant margin, Marshal8e6 said.

The company reported that its data, compiled during the first quarter of 2009, represents two years of observation into the inner workings of the botnets.

So, let me get this right. We’ve known about Rustock for years, and it’s pounding out nefarious content, we can’t seem to stop it, yet we’re obsessed with Conficker.

Perhaps we should be measuring the potency of these botnets based on their output, versus measuring their notability by their stature. Because when it comes to which of the attacks is doing the most damage, it seems like that race is already over.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.