A year after Conficker sprang into the public consciousness, the notorious Windows worm continues to claim millions of victims. While the hype has died down, the worm remains an example of the dangers of cutting-edge malware and how cooperation in the security community can make the difference.
The Conficker worm struck
Windows computers this past year with the force of a tsunami and swept
away illusions of security in the minds of its victims. But after the overhyped
1 deadline passed quietly
, interest in the general public started
to dwindle, and the malware for some became just another entry on an
ever-growing list of cyber-threats.
The worm itself however
did not disappear. Today, roughly a year after its appearance, Conficker
is still resting
on millions of systems around the world. From its
innovation to its persistence, Conficker has emerged as a stark example of the
dangers of malware, poor patching practices and what the security community can
accomplish by working together.
"This certainly is one of
the most sophisticated pieces of malware that we've ever seen, and that's why
the security industry continues to be interested in it in spite of the fact
that not a lot has happened over the course of the past year," said Tom Cross,
X-Force Advanced Research. "Lots of
people have said this is not interesting anymore and stopped paying attention,
but those of us who are responsible for this stuff [are] still watching."
Those watching remember
that the worm first crept into the public consciousness in November 2008, when Microsoft
reported the worm
was targeting a vulnerability in their Server service.
Microsoft had already issued a rare out-of-band
for the flaw the previous month in light of limited attacks against
it by malware such as the Gimmiv
. Just before the start of the year, Microsoft
officials once again
advised organizations to apply the patch.
By then, Conficker
was out. The malware authors would go on to update the worm multiple
times, with each version providing a new twist on its functionality. Just how
many machines are infected with the worm is unknown. According to the Conficker
Working Group, as of
Oct. 28, 2009, there were more than 7 million unique IPs infected
with Conficker variants A, B and C connecting to the group's tracking systems.
Many of the new infections are happening outside the
That there could be so
many machines still infected with the worm doesn't surprise Eric Sites, a
member of the Conficker Working Group and
of Sunbelt Software.
"Given the level of the
attack and the reinfection rates we've seen, this is not surprising," he said.
"Above all, it's a reminder of how few people actually patch their systems on a
regular basis. Despite the fact that Microsoft came out with a patch in
October 2008, before Conficker took hold, the numbers of infected skyrocketed
and continue to be very high."
Patching systems and
applications is often cited as a common cause for hacks and security breaches.
But also problematic is the fact that the worm spread in a number of ways-the
devices and unprotected file shares
are all attack vectors depending on the variant.
multiple techniques, including auto-run programs to infect
keys, the worm was able to
replicate itself without direction from its creators, which facilitated the
spread," Sites said. "Companies were cleaning the same PCs several times only
to see them reinfected."
Part of the challenge with
Conficker is the cleaning
. The malware blocked access to known security sites, making it
difficult for victims to download removal tools from vendors like Symantec,
McAfee and others. The manual
is "a whopper," said Mikko Hypp??Ã©nen, chief research officer
"Conficker was tricky in
many ways, but many organizations had really depressing incidents where they
pulled a huge effort to clean up a large network, only to have it reinfected in
hours," he said. "It requires careful planning to prevent this."
That sentiment could
explain why the worm continues to plague Windows computers roughly a year after
it first appeared. If nothing else, its authors were innovative-illustrated by
their use of the MD6 cryptographic hash. They also upped the ante by
adding self-defense mechanisms into the worm as part of some of the
updates-such as the ability to disable security services like Automatic Update.
Given all this, perhaps it
is wishful thinking to assume other black hats won't copy
"I haven't seen any
particular pieces of malware that I felt borrowed from Conficker," Cross noted.
"But I think that Conficker will have an influence on other malware authors.
Conficker sort of demonstrated a successful peer-to-peer communications
technique that might be adopted by [others]. ... So I would not be surprised to
see other malware that comes out in the future that borrows some of these
The mystery surrounding
Conficker-who is controlling all these infected nodes, what do they plan to do
with them, etc.-has only served to keep the security community focused, Cross
said. That may be the best thing about the worm-it caused the security
community to come together. The Conficker Working Group-whose membership
includes Microsoft, Afilias, Symantec and others-continues to fight the malware
and track infection rates around the world.
"Over my 20-year career in
information security, Conficker Working Group has been the single best example
of cross-industry co-operation," declared Hypp??Ã©nen, noting the cooperation went
beyond traditional security companies to include CERTs, registrars and others.
Sites agreed, adding it is
likely that similar partnerships will be seen again.
"There was an immediate
collaboration among the top AV researchers and vendors, and the Conficker
Working Group was created in short order as a think tank and a mechanism for
sharing what we were all learning," he said. "Although we probably won't see a
threat of this magnitude for some time, if ever again, I certainly expect that
this collaboration will continue. We have a vested interest in helping each
other as we battle the cyber-criminal element together."