One year since Conficker failed to flicker into action, what have we learned?
One year ago today the world of internet security and the public at large was holding its breath in anticipation of the Conficker worm being activated.
In what was a tense time for all the worm, which was also known as Downadup and Kiko, had spread for around six months since the initial detection of variant A on the 21st November 2008. This was followed by the detection of variant B in December and variant C on the 20th February 2009.
However it was the rumoured activation of the worm, with the power of a botnet of around eight million computers around the world at its mercy that worried people. A week before the 1st April, Jose Nazario, manager of security research at Arbor Networks, claimed that companies should take the threat seriously and after much research, he said ‘to the best of our understanding it is not a joke and it appears that something will happen'.
As it turned out, not a lot did happen. Well not on the 1st April anyway. There was a whisper on the day that some activity had been seen, but nothing happened until the 9th April when Trend Micro detected variant E that was using previously established P2P networks to contact and network with other infected machines.
Trend Micro senior security advisor Rik Ferguson informed SC about this new variant that he deemed to be the major activity that was anticipated.
Since then though it has been a case of ‘what if' with Conficker – what if it had activated and sent a flurry of spam? What if it had conducted a distributed denial-of-service (DDoS) attack? What if it were used now?
That is not to say that it has gone altogether. Speaking with Ferguson this week, he pointed to the Conficker Working Group website which states that there are 6,298,318 computers that are still infected from 219 unique IPs addresses.
He said: “It is a botnet so it can do what its owners want it to do, it can be used to send malware, but it has been one of those weird botnets that no one knows who is responsible and we haven't quite got what it was used for. What to do with it? Everyone presumed that it did some stuff as everything else. It is a botnet full of questions.”
Perhaps the largest effect that Conficker had on the public at large was as it serving as a reminder of the need not only to have security software on their computers, but to consider basic security measures.
Ferguson said that the important lesson to be learned from the press coverage was to ensure that vulnerabilities are patched and passwords are made more complex.
“I hope it persuaded people to make sure that they have complex passwords and if they are not patched immediately they need to make sure that they have technology that is updated in case so that they cannot be exploited. It only takes one infected computer to infect others and spread,” said Ferguson.
Ed Rowley, product manager of M86 Security, said that he wished that this was a case of user education, but he expected that it is really a symptom of Conficker being a victim of its own success.
He said: “Because it was so widespread the industry dealt with it. Unfortunately, spam remains at a high level and the spammers are still using very similar techniques to fool people into opening email attachments or visit web pages that will attempt to infect their machines and lead them into the zombie kingdom.
“Generally speaking, people seem to remember security concerns only for a short time after a big outbreak and then relax over time as it suits them, after all who wants to think about security when you are in a hurry to find out about Cheryl Cole's latest dress, Michael Jackson's last dance or John Terry's haircut: common sense flies out of the window in the face of potential gossip.”
He also claimed that it is easy to forget that Conficker was just an extremely successful example of what is essentially an ever-present threat, and this is what people need to learn and to take action against.
Echoing Ferguson's thoughts, Rowley said: “From a security manager's perspective, I think it has been a good reminder of best practices: proper patching, effective gateway security and properly configured firewalls. It's also served to remind them that the biggest threat to their security is their users who continue to be targeted as the weak link by the criminal gangs.”
Kaspersky CEO Eugene Kaspersky claimed that people were aware of the problem and the impact it has had most importantly is on government. He said: “They understand that this sort of threat is a serious problem but they still do not understand that it is not possible to fix on a national level.”
What about the future? Symantec's Vincent Weafer commented that the computers infected with Conficker ‘are still much like a loaded gun, waiting to be fired'.
He said: “Protections are in place to monitor the botnet's activity and following the best practices above will go a long way in preventing further infections, but the reality is that until the current infections are completely eradicated, which likely will require a larger, radical action by ISPs, Downadup/Conficker is still a threat.”
One year ago we did not know what to expect, and within a week it had become something to mention in passing of notable headlines of 2009, or major security risks. Either way, more than six million computers are still infected, and someone out there has their finger on the activation button.