I practically lived Conficker for the four months between the end of December 08 (when the .B variant was found) and the beginning of April 09 when the .C variant activated its domain generation algorithm. I was involved in several cleanups, some small, some very big. Conficker is very easy to get rid of in theory but it proved hard to properly clean-up a network due to these reasons:
We saw many unique variants over several weeks and many vendors didn’t have generic detection at the time so even though one Conficker was detected, the second Conficker worm might not have been
The worm’s spreading capabilities are really aggressive and combines online and offline spreading which makes it very powerful
Even if the system was patched the Conficker worm also spreads using USB devices and network shares which meant many users got re-infected even when the patch had been installed
Basically the best way to clean up a network was to turn it off completely and do machine per machine which is of course very time consuming
Conficker has quieted down in recent months amongst enterprise and corporate users as they installed the patches made available and most have also disabled autorun from USB devices which are two big spreading vectors for the worm. Therefore we today don’t see as many infections in these types of networks anymore. However, there are still seven million Conficker infected computers out there and we believe them to be in the main, home users, primarily in Brazil and Russia.
Worms are nothing new of course. In the past we’ve seen similar worms (Blaster, Sasser etc spring to mind) that worked very much like Conficker. Conficker was almost as successful as those two worms and it would be fair to say that we will definitely see more worms in the future.
While it would be easy to assume that users / Microsoft / vendors would learn from experiences with previous worms, people do forget and technology changes. Despite new security features in operating systems there are unfortunately always ways for malware to get in. It’s just a matter of the right exploit being found, the right motivation for the bad guys to code a worm that uses it and we’re back again in the same scenario.
So, while I want to say we’re winning, it’s really a matter of changing the game. Security vendors and those charged with managing security in enterprises have to realise that trying to protect against today’s threats with yesterday’s technology (relying on file based detection) is not going to work and you will lose. To address these issues, we need solutions that provide real-time dynamic threat protection in order to get the most out of today's connected business environment, while staying protected and in control.
Patrick Runald is senior threat research Manager at Websense Security Labs