An organization that monitors the size and scope of botnet activity estimates that 7 million machines remain infected with the Conficker/Downadup worm, making up a zombie army awaiting orders from the cybercriminals behind the massive Conficker botnet.
Security experts say the good news is that the Conficker bots are still being closely monitored to detect any signs of activity. Despite the botnet's size, it would be difficult for anyone to use it to make money or break it up and rent portions out without being detected, said Mikko Hyppönen, chief research officer at F-Secure Corp. Hyppönen said those behind Conficker would be safer to abandon it altogether or risk being caught by law enforcement eager to follow a money trail.
"Conficker was unique in many ways and the biggest mystery around Conficker is why?" Hyppönen said. "The most logical explanation is that Conficker got too big and too noisy. It attracted too much attention."
The ShadowServer Foundation, which is monitoring Autonomous System Numbers -- IP addresses pooled by network operators -- listed the top 500 which contained IP addresses identified as
"There are over 12,000 ASN's that daily have Conficker IP's in their network space," Shadowserver said in its report. "Conficker has managed to infect, and maintain infections on more systems than any other malicious vector that has been seen before now."
The organization participates in the Conficker Working Group, made up of security researchers, domain experts, registrars and ISPs to coordinate defenses against the worm and stop cybercriminals from sending any orders to infected machines. At its peak in January, Conficker was estimated to have infected some 10 million computers and security experts suggested it could be used in a massive denial-of-service (DoS) attack or simply be rented out to spammers and cybercriminals to spread more malware and harvest credit card information, bank account credentials and other sensitive data.
But Conficker may have been a victim of its own success, said Vincent Weafer, vice president of Symantec Security Response. In a recent interview, Weafer said the botnet may never be used.
"It spread far too quickly and that's not how any cybercriminal wants to conduct their activities," Weafer said. "They want to remain under the radar for as long as possible to make money without being detected."
Shadowserver said the goal of its Conficker report is to illustrate the extent of Conficker infections and how they affect ISPs. Security experts have grappled with the fact that they could identify and wipe clean unique IP addresses with infected computers, but legal ramifications and privacy issues prevent the activity.
"We would most definitely be sued if we did that," Hyppönen said.
Meanwhile, investigators are trying to track down those responsible for Conficker/Downadup. Most security experts agree that the cybercriminals may never be found. The fact that the botnet has remained unused leaves few clues. There is no money trail that law enforcement can trace back to the authors.