Conficker's One Year Birthday
Posted by: Wild MissingNo. appeared
Date: 2009-11-28 17:15:06
Conficker's first birthday: how a year of havoc unfolded
Davey Winder reveals how the Conficker worm became one of the world's biggest security problems and how the experts dealt with it
21 November marks exactly a year since the Conficker worm was unleashed upon an unsuspecting world - and what a year it has been with an estimated 15 million infections.
We wouldn't normally devote space to a malware birthday party, but Conficker is different. Not only was it one of the fastest spreading Windows worms ever, but it exposed the complacency of everyone from sole traders to large enterprises (and even Parliament, the NHS and the Royal Navy) when it comes to IT security and the importance of being properly patched.
How did it start?
When it comes to what you may call The Conficker Genesis, we have to look back some three month before the appearance of the worm itself. As with all births, our story starts at the conception. In the case of Conficker, its parentage can be traced back to the Gimmiv Trojan, which exploited the exact same vulnerability as Conficker.
Conficker was first spotted on 20 August 2008 in South Korea, although it wasn't seen in the wild until 29 September in Vietnam. Luckily it was a poorly coded Trojan and this prevented it from spreading too widely. This should have been the end of the story, with Microsoft rolling out a non-scheduled security patch (MS08-067) with a recommendation to apply immediately and close the vulnerability gap there and then, on 23 October.
Unfortunately, all it did was encourage the bad guys to exploit it further, secure (oh, the irony) in the knowledge that millions of people would be complacent about patching. Only three days after the patch was released, on 26 October, an exploit toolkit was being sold by a Chinese group. Ironically, this was cracked and ended up being available for free in online underground circles, and within days and the malware makers got busy with their trade.
It took less than a month for Conficker.A to arrive in the wild on 21 November. Rather cleverly it added to the Gimmiv exploit by infecting others on the network and then patching the vulnerability to prevent other worms getting in on the act. These particular hackers didn't want other gangs muscling in and diluting the potential payday by reducing the size of the resulting botnet.
What did Microsoft do?
Microsoft responded within 24 hours. On 22 November it reminded users that they should apply that MS08-067 patch immediately. But only four days later, half a million Conficker.A infected machines were seen to be talking to control domains (a different set of 250 domain every day, to make takedown all but impossible) suggesting that users were simply not listening.
Little more than a month later and the first instance of Conficker.B was spotted, now with the added ability to spread by way of removable drives, and throwing in some hefty encryption to hide command and control comms for good measure.
Conficker has been around a year ago, and is now still causing havoc. I heard a rumor that Conficker was going to be updated to destory computers by destroying the Master Boot Records, but I haven't heard of anything, and I can't find the article, so a late birthday to the pest Conficker who still runs about.