Three Dutch researchers have crunched data gleaned from efforts to battle the Conficker bot and declared anti-botnet initiatives all but useless for clean up efforts.
Conficker was born in 2008 spreading aggressively through a since patched remote code execution Microsoft vulnerability (MS08-067) that affected all operating systems including servers. The rate increased with a malware update that allowed Conficker to spread via USB
More ReadingRussian hacker, nabbed in Spain, cops 4+ years for Citadel botnetPartially blind albino porn pirate nabbed for £300k bedroom streaming sitePopcorn time at Popcorn Time: More vid slurpers hauled into courtActivist pens pirate's map to 'liberating' academic journalsVeedub flub hubbub stubs car-jack hack flap
A million machines are thought to be still infected. Some 12 million unique IP addresses were still pinging a Conficker sinkhole server in the six weeks to December last year, despite that the botnet is headless and long abandoned.
About 284,000 of those were also infected with the scuttled GameOver Zeus bot, showcasing the threat that the headless node machines present to the wider internet.
Researchers Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten of Delft University of Technology say efforts including Australia's iCode, Germany's BotFrei, and Ireland's anti-botnet initiative are largely failures.
"It is somewhat surprising, and disappointing, to see no evidence for the impact of the leading remediation efforts on bot cleanup," the trio say in the paper [Post-Mortem of a Zombie: Conficker Cleanup After Six Years pdf].
"We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact" while "... institutional factors such as ICT development and unlicensed software use have influenced the spread and cleanup of Conficker more than the leading large scale anti-botnet initiatives."
The researchers say botnet battlers are better served by helping to bolster a country's long term ICT development. Those with low technology development house twice as many Conficker nodes than those which are IT advanced.
To that end they highlight Finland for its long-term look at botnet cleansing which has made that country one of the least infected nations.
Rampant Windows piracy is also a major factor in hindering botnet cleanup efforts as it means often that automatic patch updates, one of the best security tools available, are turned off.
Anti-botnet initiatives should according to the trio fund long-term sustainability of botnet sinkholes which capture otherwise compromised user traffic and are often fleeting, lasting only a few weeks or months.
"In contrast to command and control server take-down, bot remediation needs the mindset of a marathon runner, not a sprinter," the trio says.
The researchers examined logs from February 2009 to September 2014, covering 62 countries and some 34,000 autonomous systems. ®