So it occurred to me the other day that I hadn’t heard much about Conficker recently. The computer virus, which some have said is the most sophisticated ever, was big news earlier in the year.
But just because it’s not getting as much attention doesn’t mean that it is no longer a threat. In fact, I did find this fascinating story on the origins of the worm that ran last week in New Scientist. The story details the fight against Conficker, including the efforts of the folks at the San Diego Supercomputer Center, which I have written about.
Here is an excerpt from the New Scientist story:
No one knows the identity of Conficker’s “patient zero” computer, or precisely when it was infected. It was probably a machine that the hackers already controlled. Once installed, the software set to work, surreptitiously scanning the internet for other vulnerable machines to send itself to.
The new worm soon ran into a listening device, a “network telescope”, housed by the San Diego Supercomputing Center at the University of California. The telescope is a collection of millions of dummy internet addresses, all of which route to a single computer. It is a useful monitor of the online underground: because there is no reason for legitimate users to reach out to these addresses, mostly only suspicious software is likely to get in touch.
The telescope’s logs show the worm spreading in a flash flood. For most of 20 November, about 3000 infected computers attempted to infiltrate the telescope’s vulnerable ports every hour — only slightly above the background noise generated by older malicious code still at large. At 6 pm, the number began to rise. By 9 am the following day, it was 115,000 an hour. Conficker was already out of control.
Earlier this week, I had a quick e-mail conversation with K.C. Claffy, one of the Supercomputer Center’s worm hunters. She said that from her vantage point, Conficker is still going strong, and she and her colleagues need more money if they want to stay on its tail.
“80-90% of the traffic we see on the telescope still looks like conficker spreading attempts (or some other worm trying to spread in the same way),” Claffy wrote. “So it seems alive and well to me. But we don’t have resources to study it in more detail right now.”