Well, the big April 1st “dooms day” has come and gone.
I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.
Let me explain our thinking. We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.
When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.
Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.
If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.
Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.
However, nothing happened.
Or did it?
What actually happened might be exactly what the cybercriminals wanted.
How many of you did Google searches for Conficker over the past week (the week before April 1)?
Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.
Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!
Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.
And, “they” (the cybercriminals) got you to pay for it!
Are these guys geniuses or what?
Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.
If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.
Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.
That’s what Conficker was and what it wasn’t.
Anyone have comments? (comments that aren’t SPAM)