There was a lot of FUD flying around prior to April Fool’s Day this year regarding Conficker. Researchers had finally been able to discover that on April 1st, 2009 Conficker would update itself and potentially do something devastating. Instead, only a small percentage are updated and those endpoints… serve up scareware? Of all the nefarious activity it could do (e.g., make a Balkan state go dark, DoS US critical infrastructure, etc.) it does something as pedestrian as serve up scareware?
It’s almost like a proof-of-concept. Here’s how a presentation by Conficker’s handlers to prospective clients could go. “See, we can do this: Conficker sends millions of spam. Or, we can do this: Conficker DoS a competitor of prospective client. Oh, you want to make a few bucks? Try this: scareware installed on n% of Conficker-infected endpoints.”
I’ve been scratching my head, wondering what gives here. Then it came to me. Conficker is a natural for being franchised out. Instead of giving the reins to the highest bidder for the entire botnet, the handlers will be able to give the controls to, say, Conficker.f to deliver V1@gr4 spam, while Conficker.h is awaiting it’s turn to do whatever the highest bidder for the .h variant wants it to do.
Traditionally the controls to botnets have been granted in whole. The folks behind Conficker are unethical, but also quite intelligent. They have a great understanding of the terrain this battle is being played out on.
McDonalds® may have sold billions and billions of burgers, but I see a new headline coming in the near future: “Conficker: billions and billions of *insert malware, grayware, scareware, spam* delivered.