Several people who have analyzed various versions of the program said that Conficker’s authors were obviously monitoring the efforts to restrict the malicious program and had repeatedly demonstrated that their skills were at the cutting-edge of computer technology.
For example, the Conficker worm had already been through several versions when the alliance of computer security experts seized control of 250 Internet domain names that the system was planning to use to forward instructions to millions of infected computers.
Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet.
“It’s worth noting that these are folks who are taking this seriously and not making many mistakes,” said Jose Nazario, a member of the international security group and a researcher at Arbor Networks, a company in Lexington, Massachusetts, that provides tools for monitoring the performance of networks.
“They’re going for broke,” he said.
Several members of the Conficker Cabal said that law enforcement officials had been slow to respond to the group’s efforts, but that a number of law enforcement agencies were now in “listen” mode.
“We’re aware of it,” said Paul Bresson, an FBI spokesman, “and we’re working with security companies to address the problem.”
A report that was to be released on Thursday by SRI International, a nonprofit research institute in Menlo Park, California, says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial anti-virus programs, as well as Microsoft’s security update features.
“Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,” said Phillip Porras, a research director at SRI International and one of the authors of the report. “Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.”
“In the worst case,” Porras said, “Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.”
The researchers, noting that the Conficker authors were using the most advanced computer security techniques, said the original version of the program contained a recent security feature developed by an MIT computer scientist, Ron Rivest, that had been made public only weeks before. And when a revision was issued by Rivest’s group to correct a flaw, the Conficker authors revised their program to add the correction.
Although there have been clues that the Conficker authors may be located in Eastern Europe, evidence has not been conclusive. Security researchers, however, said this week that they were impressed by the authors’ productivity.
“If you suspect this person lives in Kiev,” Nazario said, “I would look for someone who has recently reported repetitive stress injury symptoms.”