Conficker, the Botnet that became too hot to handle


Conficker is a piece of malware we just can’t seem to quit. Despite first being identified in November 2008, some estimate that as of September 2020 there were still 150,000 Conficker detections a month, mostly in vastly populated Brazil and India, as well as Thailand and the Philippines. Machines still running Windows XP are still in our midst—as well as machines that never receive security patches.

But though Conficker continues to annoy, it does so as a mild irritant, not the botnet behemoth it could have been. Looking back, it seems as if Conficker was so well constructed that it attracted too much attention. So much focus was placed on its potential that said potential could never be realized. Conficker expert Mark Bowden wrote in a June 29, 2019, op-ed for The New York Times that at its peak the malware had compromised more than 10 million individual IP addresses. But the botnet was only used once to enact a relatively mild form of “scareware.”

Conflicker’s popularity limits its potency

Some have posited that Conficker was an academic experiment and therefore its creators never intended to use it. But in his op-ed, Bowden discussed a December 2015 article from The Journal of Sensitive Cyber Research and Engineering, a classified publication (though the article was not).

The article’s theory was that Conficker—ultimately determined to be the work of Ukrainian hackers—was neutered by its potential. Its rapid growth and sophisticated encryption simply attracted too much attention. With their handwork in the spotlight, the hackers couldn’t put it to use.

One clue helped tip off law enforcement to Conficker’s origins: The malware was programmed to self-destruct on any machine with a Ukrainian keyboard.

Subscribe to SmaterMSP

Photo: Lazy_Bear / Shutterstock