"If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world"
Right, but with a well-written distributed brute force application, it could probably get through a lot of password cracking. No need to break AES-256.
It may not be able to actively worm its way through a good firewall, but who's to say an infected USB stick, user downloading cursors or smilies, or other vulnerability would drop it in past it?
The issue then, is whether the botnet admin would recognize the luck\value of a select machine with inside access, or if it would go unnoticed.
Naturally, it wouldn't necessarily be able to enter any given secure network, database or machine.
But it quite possibly could enter quite a lot of them ... if the conficker masters are indeed as cryptographically sophisticated as the article describes.
Just imagine the attack on Google supplemented by a botnet. Modern attackers already have many vectors with which to attack private networks. Having a botnet can only give an attacker more opportunities.
So I think it's entirely correct to say the virus is worrisome at the least.
Are the Conficker masters really as cryptographically sophisticated as the article describes? They implemented an encryption algorithm that had been submitted as a SHA-3 candidate, complete with its flaws, then updated it to patch the flaw only after the author of the algorithm corrected his own work.
Similarly, they exploited a flaw in Windows only after Microsoft released a security update describing the bug.
The Conficker creators are certainly paying attention and taking advantage of the right opportunities, but they're not quite the super-genius polymaths that the article is making them out to be.
Anyone know a good, friendly, easy-to-deploy conficker killer? I think I have it on an old windows machine, and all the AV products are so fucking STOOPID that they do shit like refuse to install in safe mode.
If I seriously wanted to crack something difficult, I wouldn't recruit more computers; I'd recruit more great people. A concerted effort by a small group of talented people, joined by the Internet is more effective than brute force will be, especially if the first plan is to brute force current encryption.
Recruiting great people might be difficult if your pitch starts out with "Well, we're going to break into secure networks, steal millions - maybe billions - of dollars, flee the countries of our origin."
Uh, no, it couldn't. A big botnet does not magically give you access to well-protected computers or networks. See http://en.wikipedia.org/wiki/Brute_force_attack for some perspective.
I don't care how big Conficker is, it's not going to break AES-256 any time soon (or really any large key based on an algorithm without a weakness).
Similarly, Conficker isn't going to be able to get into protected internal networks with a good firewall simply by virtue of having lots of machines.