Q&A: Conficker – One year laterby Steve Ragan - Nov 16 2009, 21:00
This week marks what is generally accepted as the birthday of one of the most notorious Worms online, Conficker. The Conficker Worm drew an unprecedented amount of press and panic as it infected millions of systems last fall, only to fizzle out of the public eye after a spring scare turned out to be nothing.
We talked to Eric Sites, CTO of Sunbelt Software and member of the Conficker Working Group, about the Conficker Worm and some of its more unique features.
The Tech Herald (TTH): What was so innovative about Conficker?
Eric Sites (ES): Actually, there were really no "new" techniques used in Conficker, but the creators certainly used some sophisticated methods, including an encryption algorithm that had just been unveiled by Ron Rivest of RSA at the time.
By combining multiple known techniques, including auto-run programs to infect USB keys, the worm was able to replicate itself without direction from its creators, which facilitated the spread. Companies were cleaning the same PCs several times only to see them re-infected. It was one of the most persistent worms we've seen to date.
TTH: Why it was created? Did its massive success surprise or maybe even frighten its creators?
ES: At this point, there's no doubt that the goal of Conficker was not to do any immediate harm, but rather to create a botnet army and a platform that could be used for other attacks. The goal was likely to create something that could be "rented" by cyber criminals or even cyber terrorists and used for any number of reasons.
However, the creators were likely surprised by how successful Conficker was as it took on a life of its own. The amount of media hype it has provoked and the attention it has drawn from law enforcement may result in it not being used at all. Any activity is being tracked by quite a few watchful eyes and the creators will be very careful not to draw attention to themselves for fear of being caught.
This could make Conficker useless to them at this point. And the example it has set will make other attackers and Malware writers incredulous about creating another "mega-bot." It has been a technical success beyond imagination, but a business failure so far in terms of the rewards the creators likely intended to reap.
TTH: So the media hype may have actually helped on some level?
ES: As I said before, the creators likely didn't plan for the level of panic that Conficker prompted. Most botnets are not recognized by the average consumer computer user, but Conficker became a household name, and the amount of news coverage it received was the only way that anyone outside the security industry would have learned about it. As mentioned before, the press also upped the ante for global law enforcement to focus on finding the creators, making any action on their part very dangerous.
TTH: How did Conficker encourage collaboration within the security industry?
ES: Conficker showed how strong the security community really is and how quickly it can react. There was an immediate collaboration among the top AV researchers and vendors and the Conficker Working Group was created in short order as a think tank and a mechanism for sharing what we were all learning.
Although we probably won't see a threat of this magnitude for some time, if ever again, I certainly expect that this collaboration will continue. We have a vested interest in helping each other as we battle the cyber-criminal element together.
TTH: What did Conficker teach us about patching?
ES: Conficker highlighted a major problem that exists in the security industry; it brought to light the fact that shockingly few people actually patch their systems on a regular basis. Despite the fact that Microsoft came out with a patch in October 2008, before Conficker took hold, the numbers of infected skyrocketed and continue to be very high.
TTH: What does Conficker’s development say, if anything, about the evolution of criminal hackers?
ES: Conficker was an indication that hackers know that patching is actually a vulnerability in most organizations. We'll see more and more virus writers creating attacks for already-patched vulnerabilities, knowing full well that their victims have ignored the patches and are still vulnerable.
TTH: Could Conficker be the last “mega-bot” we’ll see?
ES: Botnet armies and hacking techniques are not meant to be seen or heard for the most part. The most successful cyber crime is designed to be parasitic in nature, striving to survive for long periods of time - undetected, and slowly siphon from bank accounts, sensitive data stores, etc. Conficker's notoriety has shown that the bigger the bot, the less effective it may end up becoming. Too much attention means little activity and little gain.