Conficker has a business plan. As early as January,
InternetNews.com reported that experts feared the Downadup worm,
also known as Conficker, might infect as many PCs as the Storm worm had.
So it’s ironic that the latest reports suggest that the new worm is making money by infecting PCs with Storm-related malware, called Waledac, and with “scareware” — fake security software — called Spyware Protect 2009.
Waledac makes money by sending spam — about 5,000 to 10,000 e-mails per hour on each infected PC — and Spyware Protect 2009 charges victims to remove it and then doesn’t disappear.
The latest activity on the botnet proves that the makers of Conficker have indeed started to earn cash from criminals by operating a botnet. “In the past, botnet owners would do loads for hire, renting their botnet to send spam. Now, they say, ‘Who would like to upload your malware to my botnet?'” Patrick Peterson, Cisco‘s chief security researcher and a Cisco (NASDAQ: CSCO) fellow, told InternetNews.com.
The result? Over the Internet, the invisible hand of the criminal market loosely joins the work of underground pharmaceutical operations replete with customer service centers, credit card cashing operations, and malware labs.
“This is ruthlessly efficient capitalism,” Peterson said, adding that the going rates for this service are $0.13 per U.S.-based PC at the high end of the market down to $0.005 per PC for China-based PCs at the low end.
How big an opportunity did Conficker offer to malware purveyors? Experts estimated that the Conficker worm had infected 10 million Windows-based PCs at the start of this month, and it has evolved since then.
Much publicity was devoted to the worry that the worm would damage computers on April 1, but many, including well-known ex-hacker Mafiaboy, believed that was a ruse. Instead, observers suggested that the real purpose of the worm was the creation of a botnet — and that appears to have happened.
An enterprise threat?
The threat so far is to home computers. “If they’re lucky, the botnet operators will get 0.1 percent of their spam volume from enterprise PCs,” Peterson said.
Still, businesses need to ensure that they’re protected.
“Enterprises had 30 days to apply a patch from one of the most urgent security vulnerability notices,” Peterson added.
Businesses that are infected should spot the spam activity on their networks, but infection vectors can change as can business plans.
“The worst may be yet to come, since Conficker can update itself into anything — instantaneously. Which means that we can wake up tomorrow with a huge [distributed denial of service, or DDoS attack] network, or a spam bot network,” said Amit Klein, CTO and head researcher for Trusteer, a vendor of browser security technology for financial institutions. “But it can also attempt a more subtle move — a move into financial fraud. There’s nothing to prevent Conficker from morphing into financially motivated malware that can collect credentials from browsers, log keystrokes and/or modify transactions.”
Others worried about Conficker in virtual environments.
“It is especially easy for the Conficker worm to get into the virtualized environment because new virtual machines are often created using older templates which do not have updated Conficker patches,” Kevin Piper, director of technical operations at virtualization security provider Altor Networks, told InternetNews.com.
As a result, experts are urging enterprise network managers to take stock of the situation and avoid panic — but many also pointed out that if they’re following standard security protocols, they should already be well protected.
For instance, since the attack spreads through unpatched software, they should already have locked down any potential threat. Patching is “not even security 101. It’s a lesson before that,” Peterson said.
“It should be part of your daily operations to make sure this never pops up,” he added. “You should be focusing on targeted attacks, especially if you’re in an industry such as government, banking, or defense that is facing incredibly sophisticated attacks. You should be worried about the attacks you won’t see on ’60 Minutes.'”
Still, Peterson added, networks are always under siege and patrolling them isn’t a task to be taken lightly.
“Even if you get the best security practices, you have to assume they won’t be perfect, that they won’t work 100 percent of the time,” he said. “You need to be looking for bots, for remote control malware, within your enterprise network.”
He also said that all the news about Conficker may not be good for business security.
“On the one hand, we’ve got reports on ’60 Minutes’ and CNN, but on the other hand, everyone thinks that if they’re not part of a botnet, they don’t have a problem, and especially for enterprises, that’s absolutely not true.”