Conficker still stumps boffins

The brightest minds in technology and government are finding it "almost impossible" to defeat the Conficker worm, which has infected more than 5 million computers and, experts say, could be used to knock down the internet in entire countries.

The worm, first detected in November last year, spreads rapidly to computers through a flaw in the Windows operating system.

Infected machines are co-opted into a "botnet" army, which can be controlled and used by the hackers to launch unprecedented cyber attacks.

"The general agreement in the security world is that Conficker is the largest threat facing us from a cyber crime point of view ... it has proven to be extremely resilient. It's almost impossible to remove," said Rodney Joffe, a director of the Conficker Working Group formed to defeat the worm.

"The best minds in the world have not managed to crack the code behind this yet."

The scale of the threat has forced the world's largest computer security companies to join together with government around the world in an unusual alliance to pool their resources and solve the problem.

Microsoft has offered a US$250,000 reward for information leading to the identification of the individuals - or rogue governments - behind Conficker.

Those behind the worm can do anything they want with the infected machines including stealing users' banking details or flooding government servers to knock them offline.

"This could be used to launch the mother of all DDoS [distributed denial of service] attacks, it could be used as the basis of major financial fraud, it could be used for major spam runs," Joffe said.

"Even a small portion of the infected machines from Conficker have the ability to actually take away the usability of the internet in an entire country like Australia."

So far the international effort to find a solution has yielded few results, and the number of infected machines has remained fairly stable at 5 million. They include home, business and Government computers.

Joffe, who is also a senior technologist at US communications company Neustar, explained that the remarkable resilience was because Conficker had built-in mechanisms to prevent people from scanning their computers with anti-virus software.

Even for those who wipe their computers clean and start fresh, if they back up any important data on a portable hard drive, the clean machine is reinfected when the drive is connected to the computer.

The worm also spreads automatically between computers on a network and infects machines without the user having to do anything other than switch their computers on.

"If you've been able to disinfect 99 machines out of 100 and one is still infected, it will begin to try to reinfect the others," Joffe said.

Most other botnets can be destroyed by disabling the server used to issue commands to infected machines, but with Conficker the location of this sever changes every day and state-of-the-art cryptography means it's almost impossible to crack.

Every time the security gurus feel they are on to a solution, the hackers send a new version of Conficker to the infected machines that stops them in their tracks.

"Conficker has proven to be the gold standard for botnets. It's rock solid, it's steady and it has mechanisms built in that have made it impossible for us to actually crack," Joffe said.

"As of today we have not been able to crack the cryptography behind it in order to disrupt it by authenticating ourselves as the command and control."

So far the "botnet masters" have been biding their time as the media buzz around Conficker dies down, but they have already sent malicious code to infected machines that co-opts them to send spam emails. Users of infected computers have also been conned with offers to buy fake anti-virus software.

In July, Manchester City Council in Britain was prevented from issuing hundreds of fines after Conficker knocked out parts of its IT system. The infection cost the council £1.5 million in total.

In January, the French Navy had to quarantine its computer network after it was infected with Conficker, forcing aircraft at several air bases to be grounded.

Joffe said that people who are not yet infected and have installed the latest Windows patches and anti-virus software should be safe, as long as yet another version of Conficker is not released.

But he said it was rare for people to have all the relevant patches installed on their computers, and anti-virus software would be of little use to those already infected.

"We're some ways away from being able to take any action, which is what is really concerning us," Joffe said

- © Fairfax NZ News