It is still out there.
Like a ghost ship, a rogue software program that glided onto the Internet last November has confounded the efforts of top security experts to eradicate the program and trace its origins and purpose, exposing serious weaknesses in the world’s digital infrastructure.
Illustration: Jayachandran / Mint
The program, known as Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control—government, business and home computers in more than 200 countries—this shadowy computer has power that dwarfs that of the world’s largest data centres.
Alarmed by the program’s quick spread after its debut in November, computer security experts from industry, academia and government joined forces in a highly unusual collaboration. They decoded the program and developed anti-virus software that erased it from millions of the computers. But Conficker’s persistence and sophistication has squelched the belief of many experts that such global computer infections are a thing of the past.
“It’s using the best current practices and state-of-the-art to communicate and to protect itself,” Rodney Joffe, director of the Conficker Working Group, said of the malicious program. “We have not found the trick to take control back from the malware in any way.”
Researchers speculate that the computer could be employed to generate vast amounts of spam; it could steal information such as passwords and logins by capturing keystrokes on infected computers; it could deliver fake antivirus warnings to trick naive users into believing their computers are infected and persuading them to pay by credit card to have the infection removed.
There is also a different possibility that concerns the researchers: That the program was not designed by a criminal gang, but instead by an intelligence agency or the military of some country to monitor or disable an enemy’s computers. Networks of infected computers, or botnets, were used widely as weapons in conflicts in Estonia in 2007 and in Georgia last year, and in more recent attacks against South Korean and US government agencies. Recent attacks that temporarily crippled Twitter and Facebook were believed to have had political overtones.
Yet, for the most part Conficker—theories about its name differ—has done little more than to extend its reach to more and more computers. Though there had been speculation that the computer might be activated to do something malicious on 1 April, the date passed without incident, and some security experts wonder if the program has been abandoned.
The experts have only tiny clues about the location of the program’s authors. The first version included software that stopped the program if it infected a machine with a Ukrainian language keyboard. There may have been two initial infections—in Buenos Aires and in Kiev.