Conficker
A worm built an unprecedented multi-million-machine botnet, an industry coalition formed to fight it — and then the botnet's owners never used it.
Beginning in November 2008, a worm exploiting a Windows networking vulnerability — and, in later variants, USB autorun and weak passwords — spread across the world's PCs at extraordinary scale. At its peak, Conficker is estimated to have controlled somewhere between several million and over ten million machines, including networks inside militaries, hospitals, and government agencies.
An algorithm for staying alive
Conficker's distinguishing feature was its resilience. Each day it generated a list of pseudorandom domain names where it would look for instructions. Later variants generated fifty thousand candidate domains daily and used cryptographic signing so that only its true authors could issue commands. To decapitate the botnet, defenders would have to register or block those domains faster than the worm's authors could.
The Cabal
The response was itself historic. An informal coalition of security researchers, registrars, Microsoft, and academics — informally called the Conficker Working Group, or "the Cabal" — coordinated to preregister and sinkhole the domain-generation output, day after day, for years. It was one of the first large-scale, sustained, cross-industry defensive coordination efforts.
And then nothing happened. The botnet, despite its size and sophistication, was never meaningfully monetized or weaponized by its operators. Its purpose remains, to this day, unconfirmed.
What the chronicle remembers
Conficker is remembered for two opposite reasons: the largest defensive coalition assembled to that point, and the anticlimax of a doomsday weapon that was never fired. It demonstrated both that cross-industry coordination at internet scale was possible, and that attribution and intent — not just capability — are central to understanding any incident.