The folks at the San Diego Supercomputer Center are a part of the world-wide cyberposse on the hunt for a new internet worm that has the potential to wreak unprecedented havoc on computer networks.
Known as Conficker or Downadup, the nefarious software program is the worst virus to hit the internet in more than five years. It is spreading by a recently discovered vulnerability in the Microsoft Windows operating system, and may have infected more than 9 million computers worldwide.
Here is a particularly scary description of the worm’s potential penned by John Markoff of The New York Times:
Worms like Conficker not only ricochet around the Internet at lightning speed, they harness infected computers into unified systems called botnets, which can then accept programming instructions from their clandestine masters. “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,” said Rick Wesson, chief executive of Support Intelligence, a computer security consulting firm based in San Francisco.
Many computer users may not notice that their machines have been infected, and computer security researchers said they were waiting for the instructions to materialize, to determine what impact the botnet will have on PC users. It might operate in the background, using the infected computer to send spam or infect other computers, or it might steal the PC user’s personal information.
“I don’t know why people aren’t more afraid of these programs,” said Merrick L. Furst, a computer scientist at Georgia Tech. “This is like having a mole in your organization that can do things like send out any information it finds on machines it infects.”
K.C. Claffy, an internet expert at the Supercomputer Center, is plenty afraid. She and others are using an internet telescope — also called a “dark net” — located at the center to in essence stakeout the virus. A dark net is essentially a big chunk of unused internet address space that should have very little traffic. But traffic increases when there is a worm, and by monitoring the dark net, internet experts can see patterns in the address space and see how the worm is trying to spread.
Another thing investigators are doing, said Claffy, whom I recently profiled, is setting up machines they know will be infected, and then monitoring those machines. They also can register what are essentially dummy domain names, and wait for the worm to query the domain. So far they haven’t been able to make heads or tails out of the aims of the person or people behind the worm, she said.
“It could be a teen just proving he can do this, or some billion-dollar scammer setting up an impervious spam network,” Claffy said. “It’s very confusing — I can’t get in the head of the wormer.”
Claffy added that the threat of viruses like this one is another reason why some sort of international clearinghouse, a bureau of internet statistics, needs to be established. “We don’t have any formal channels of studying this thing,” she said.