Cleaning up botnets takes years, if ever, to complete

The cleanup effort around Conficker shows how hard it is to eradicate a botnet

Hadi Asghari, assistant professor at Delft University of Technology

Hadi Asghari, assistant professor at Delft University of Technology

In late 2008, a worm called Conficker began infecting millions of computers, startling the computer security community into action.

Conficker's quick spread was so alarming that an organization was formed called the Conficker Working Group that was tasked with stopping the botnet and finding its creators.

Many countries also formed their own groups that worked with Internet service providers to remove infections from users' computers. But seven years later, there are still about 1 million computers around the world infected with the malware despite the years-long cleanup effort.

Researchers in the Netherlands have analyzed those efforts and tried to figure out what went right and wrong in order to guide future botnet-fighting efforts. Their research paper will be presented next week at the 24th USENIX Security Symposium in Washington, D.C.

"These people that remain infected -- they might remain infected forever," said Hadi Asghari, assistant professor at Delft University of Technology in the Netherlands.

In December 2008, Microsoft patched the vulnerability in Windows XP used by Conficker that allowed remote files to be executed if file-sharing was enabled. But Conficker's worm capabilities made it surprisingly resilient, and it continued to infect computers even when researchers took over the botnet's command-and-control system.

Special efforts by individual countries to control Conficker's spread, such as in Finland, helped keep a check on it, Asghari said. Some other advanced countries, including Norway and Sweden, did not have Conficker remediation programs but still managed to keep it under control, he said.

Researchers are still monitoring Conficker-infected computers since they took over control of the botnet years ago. Asghari said his team saw more than 1 million IP addresses of infected machines calling home to a sinkhole for instructions, but it's difficult to figure out what type of machines those are and why they may still be infected.

Asghari said it's likely many computers are probably running Windows XP without automatic updates installed. It's also possible that some of them may be rarely updated or abandoned embedded systems.

Sometimes, it was hard for ISPs to help consumers clean up their infected computers. Asghari said he spoke to one ISP that contacted the same customer 36 times in an effort to get rid of Conficker.

"Every time the customer would say I've cleaned it up, but the infection would return," he said.

The findings point to needing to make it easier for consumers to fix their computers, Asghari said. The computer security community should also realize that cleanup efforts are valuable but often slow going, and a marathon mindset needs to be adopted.

It's also good to keep in mind that if these computers are infected with Conficker, they're also vulnerable to a range of other more current threats that could use the machines for more attacks, Asghari said.

Asghari's team also had access to data from the Gameover Zeus botnet, a more recent one that was disrupted by law enforcement and researchers in June 2014.

Up to 10 percent of the computers infected with that malware were also infected with Conficker, showing that poorly secured computers can be continually abused.

Even if such vulnerable computers comprise a small percentage of the Internet, it still "turns into millions of computers," Asghari said.

The paper was also co-authored by Michael Ciere and Michel J.G. van Eeten, both of Delft University of Technology.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityUSENIX Security SymposiumDelft University of TechnologyExploits / vulnerabilitiesmalware

More about MicrosoftTechnologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place