Thursday, April 2, 2009

Conficker: WTF?

As Jerry Seinfeld would say, "Conficker. up...with that?"

All signs (and media outlets) were pointed toward Armageddon on April 1, but this pesky worm, also known as Downup, Downadup, and Kido, has been a bit of a dud.

There was some chatter around the command & control setup, and the list of 500 domains that infected machines were supposed to contact for updates and to download the payload that would bring us to the end of days.

So what happened?

Lots of things. And don't get me wrong - I'm not saying this thing is finished yet. But let's take a peek at a couple of responses that might have been key.

First was the breadth and depth of communication, once the existence of Conficker was known. There was a lot of information sharing going on, not only about the worm itself, but also its variants, along with robust tracking of infection rates, locations, and other important data.

Secondly, DNS providers like OpenDNS did a good job of staying current with the list of domains on the Conficker list to provide blacklisting and other process implementations in attempts to block communication between compromised computers and the update/payload locations.

Third, people patched their Windows boxes, albeit slowly. Some estimates placed the infection rates somewhere between 10 and 20 million computers. This included machines in government, education, finance, and industry worldwide. That should provide some indication of how well these organizations are doing when it comes to providing a proactive, effective security infrastructure, but I digress.

Lastly, scores of security experts and researchers developed and deployed tools to identify, eradicate, assess, and otherwise call out Conficker instances, which allowed for some good forensics and advance remediation prior to the April 1 target date.


What if Conficker was just a UAT test as part of some global proof-of-concept, a probing exercise to baseline not only how quickly and easily targets could be penetrated and compromised, but to analyze response rates and activities by geography, operating system, type of organization, and so on, as preparation for something much larger, more effective, and better concealed?

That's where my money is being placed. This was a precursor exercise.

Attacks and exploits have been trending toward zero-day activities for some time, so it doesn't make any sense to telegraph a punch like this. This has either been a diversion, to keep our focus on Conficker while something even more nefarious was taking place elsewhere, or it's simply a stage that's part of some larger, more intricate objective.

My concern is that we haven't learned the right lessons from the global response, and that there will be a future price to pay. In the meantime, stay posted, secure your infrastructure, and update your response plans based on the gaps you identified over the last couple of months.

You stay classy, info security world.

1 comment:

  1. Hi,

    Good article. Sophos' Conficker removal tool can detect and remove all variants of the worm/virus.

    As long as people run these tools it should stop any serious outbreak.



Please tell me what you think.