Print Email Facebook Twitter Post-mortem of a Zombie: Conficker cleanup after six years Title Post-mortem of a Zombie: Conficker cleanup after six years Author Asghari, H. Ciere, M. Van Eeten, M.J.G. Faculty Technology, Policy and Management Department Multi Actor Systems Date 2015-12-31 Abstract Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand-control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that support largescale cleanup of end user machines. It has been six years since the Conficker botnet was sinkholed. The attackers have abandoned it. Still, nearly a million machines remain infected. Conficker provides us with a unique opportunity to estimate cleanup rates, because there are relatively few interfering factors at work. This paper is the first to propose a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. We compare the growth, peak, and decay of Conficker across countries. We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact. Cleanup seems even slower than the replacement of machines running Windows XP. In general, the infected users appear outside the reach of current remediation practices. Some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation. These machines can however be magnets for other threats — we find an overlap between GameoverZeus and Conficker infections. We conclude by reflecting on what this means for the future of botnet mitigation. To reference this document use: http://resolver.tudelft.nl/uuid:b7587090-7292-4836-afbc-eb8256e326b7 Publisher USENIX Association ISBN 978-1-931971-232 Source Proceeding SEC'15. Proceedings of the 24th USENIX Conference on Security Symposium, Washington DC, August 12-14, 2015 Part of collection Institutional Repository Document type conference paper Rights (c) 2015 Usenix Association Files PDF 326012.pdf 1.64 MB Close viewer /islandora/object/uuid:b7587090-7292-4836-afbc-eb8256e326b7/datastream/OBJ/view