RSS Alerts
Conficker’s spreading capabilities are really aggressive and combines online and offline spreading which makes it very powerful

Related Links

Related Stories

  • Information security threats in H1 2009: malware and rogue security software
    Microsoft has just released its Security Intelligence Report volume 7 (SIRv7) for the first half (H1) of 2009 exploring the most prevalent information security threats - malware and rogue security software.
  • Comment: Back to information security basics
    As security companies add new technologies to meet the demands of both the evolving threat landscape and a compressed market, it is important they try not to forget about the core information security technologies that have been protecting businesses for decades
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • Cybercriminals adopt business strategies
    Online criminals are using state of the art business strategies to commit cybercrimes, says network equipment maker Cisco.
  • Comment: Making protection against the impossible information security threats, possible
    The information security industry is changing and as more and more crime is committed online, security software vendors will have no choice but to adjust. Kevin Hogan, director of Symantec’s response centre explains how it is leading the market in responding to this shift…

Feature

Comment: Thoughts from a security researcher on Conficker

10 December 2009
Patrick Runald

Patrick Runald, senior threat research manager at Websense Security Labs shares his thoughts on Conficker as the worm reaches its first anniversary of appearing in the wild.

I practically lived Conficker for the four months between the end of December 08 (when the .B variant was found) and the beginning of April 09 when the .C variant activated its domain generation algorithm. I was involved in several cleanups, some small, some very big. Conficker is very easy to get rid of in theory but it proved hard to properly clean-up a network due to these reasons:

We saw many unique variants over several weeks and many vendors didn’t have generic detection at the time so even though one Conficker was detected, the second Conficker worm might not have been

The worm’s spreading capabilities are really aggressive and combines online and offline spreading which makes it very powerful

Even if the system was patched the Conficker worm also spreads using USB devices and network shares which meant many users got re-infected even when the patch had been installed

Basically the best way to clean up a network was to turn it off completely and do machine per machine which is of course very time consuming

Conficker has quieted down in recent months amongst enterprise and corporate users as they installed the patches made available and most have also disabled autorun from USB devices which are two big spreading vectors for the worm. Therefore we today don’t see as many infections in these types of networks anymore. However, there are still seven million Conficker infected computers out there and we believe them to be in the main, home users, primarily in Brazil and Russia.

Worms are nothing new of course. In the past we’ve seen similar worms (Blaster, Sasser etc spring to mind) that worked very much like Conficker. Conficker was almost as successful as those two worms and it would be fair to say that we will definitely see more worms in the future.

While it would be easy to assume that users / Microsoft / vendors would learn from experiences with previous worms, people do forget and technology changes. Despite new security features in operating systems there are unfortunately always ways for malware to get in. It’s just a matter of the right exploit being found, the right motivation for the bad guys to code a worm that uses it and we’re back again in the same scenario.

So, while I want to say we’re winning, it’s really a matter of changing the game. Security vendors and those charged with managing security in enterprises have to realise that trying to protect against today’s threats with yesterday’s technology (relying on file based detection) is not going to work and you will lose. To address these issues, we need solutions that provide real-time dynamic threat protection in order to get the most out of today's connected business environment, while staying protected and in control.

Patrick Runald is senior threat research Manager at Websense Security Labs

 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water