Article

Security researchers continue hunt for Conficker authors

Robert Westervelt

There are several ongoing investigations attempting to find the authors of the Conficker botnet, one of the fastest spreading worms in history, but those responsible for the worm have proven elusive.

Security expert Mikko Hyppönen, chief research officer at F-Secure Corp., said he is aware of several ongoing investigations, but was asked specifically not to leak details about them. He said investigators have to be especially careful not to leak information because security researchers have determined that the cybercriminals behind Conficker are staying informed.

"They proved over and over that they are watching and will react to what's going on," Hyppönen said.

Hyppönen is a member of the

Requires Free Membership to View

Conficker Working Group, a consortium of security researchers, registrars, ISPs and law enforcement. The group continues to monitor the botnet for signs of life, but so far they haven't heard a peep out of the remaining several million infected zombie machines.

Conficker emerged in October 2008 and quickly infected up to 10 million machines, according to some estimates, before the security industry combined forces to defeat its communication network, effectively blocking the pathway each zombie machine used to seek orders from their controller.

The Conficker Working Group had to contact representatives of 113 different countries -- each in charge of issuing content specific top-level domains. Conficker was coded to contact sites in each of the countries to check for orders. Ireland and Poland were difficult to reach, Hyppönen recalled, but once the Democratic Republic of Congo was contacted every country on the list had cooperated, helping fuel the continued success of the Conficker consortium.

Researchers are taking the worm's coding apart piece by piece to try to find clues to where it originated. Meanwhile, law enforcement is involved, helping researchers track down IP addresses and the individuals connected to a specific DHCP pool, a collection of IP addresses part of a specific wireless network.

Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of the Conficker authors. The technical Internet connection trail has plenty of missing pieces, said Joe Stewart, director of malware research at SecureWorks Inc. The bots researchers have been following have not been used, he said.

Law enforcement is waiting for a money trail to follow, but as the investigation grows older, it's becoming increasingly unlikely that anyone will be prosecuted for Conficker, Stewart said. The few clues that investigators have been able to glean are prompting experts to believe the authors can be traced to a former Soviet bloc country.

"The success rate for U.S. law enforcement to get prosecutions there is next to zero," Stewart said.

Convictions have been made to previous worm authors. A 19-year-old was convicted for creating and spreading the Sasser worm in 2005 and in the same year, the Blaster creator was sentenced to 18 months in prison for his worm's destruction. But Stewart said in many cases, those who were brought to justice either left a clear trail for investigators to follow or bragged about their exploits.

"They were dumb enough to brag to their friends or made a very newbie mistake," Stewart said. "Knowing the sophistication of Conficker and the breadth of knowledge it takes to design a bot like this, I think it's very unlikely these guys are going to get tripped up."

Vincent Weafer, vice president of Symantec Security Response agreed. Weafer said earlier this year a portion of the botnet may have been loosely affiliated with the spread of a rogue antivirus program. It gave investigators hope that a money trail would develop, but whether Conficker is tied to the rogue antivirus is in dispute.

"If these guys are professional and walk away from their bots, because of the anonymous nature of a botnet, they may never get caught," Weafer said. "Even if somebody is caught sending commands to the bot, how can you know if it's the same group? It may be impossible to figure out."

The worm writers showed their aptitude when they used several new ways to deploy and control Conficker. So far researchers have been unable to crack the MD6 cryptographic hash algorithm protecting the worm, Hyppönen said. It was the first time MD6, the latest hash algorithm, was used, and when researchers discovered a flaw in MD6, the worm's authors updated Conficker to correct the issue.

"The more advanced malware doesn't take orders until the orders are signed," Hyppönen said. "MD6 within Conficker is exactly for this. The only party with secret keys are the worm's authors." Conficker's ability to infect machines using the Auto Play functionality in USB sticks was also innovative. The technique was found to still work even if Windows users turn off the Autorun feature on their systems. Hyppönen said the technique is now standard for USB worms.

"This wasn't just an existing gang writing yet another worm, this was guys who were thinking differently," Hyppönen said. "Maybe they'll never return to their bot, but they could be waiting for us to pay less attention to it. They know that it will not be monitored forever."