rendezvous points.2 to their detriment, Conficker has been
Yet another lesson from the study somewhat of a catalyst to help unify a
of Conficker is the ominous sophisti- large group of professional and aca-
Conficker has been
cation with which modern malware is demic whitehats. Organized groups of
somewhat of a
able to terminate, disable, reconfigure, whitehats on invitation-only forums
catalyst to help
or blackhole native OS and third-party have certainly previously self-organized
security services.6 Today’s malware to discuss and share insights. But Con-
unify a large group
truly poses a comprehensive challenge ficker brought together a focused group
of professional and
to our legacy host-based security prod- of individuals on a much larger scale
ucts, including Microsoft’s own anti- with a clearly defined target, now called
malware and host recovery technolo- the Conficker Working Group (CWG).1
gies. Conficker offers a nice illustration The details of the CWG and its struc-of the degree to which security vendors ture are outside the scope of this col-are challenged to not just hunt for ma- umn, but the output from this group
licious logic, but to defend their own provides some insight into their capa-availability, integrity, and the network Conficker-infected hosts have been bilities. Perhaps its most visible action
connectivity vital to providing them a observed downloading Waledec from has been the CWG’s efforts to work with
continual flow of the latest malware Waledec server sites, which are known top-level domain managers to block In-threat intelligence. To address this to distribute spam. Conficker has also ternet rendezvous point domains from
concern, we may eventually need new beenobservedinstallingrogueantivirus use by Conficker’s authors. Additional-OS services (perhaps even hardware fraudware, which has proven a lucrative ly, group members have posted numer-support) specifically designed to help business for malware developers.3 ous detailed analyses of the Conficker
third-party security applications main- variants, and have used this informa-tain their foothold within the host. is Conficker over? tion to rapidly develop diagnosis and re-
From October to April 2009, Conficker’s mediation utilities that are widely avail-
What is Conficker’s Purpose? authors had produced five major vari- able to the general public. They actively
Perhaps one of the main reasons why ants, lettered A through E: a develop- track the infected population, and have
Conficker had gained so much early ment pace that would rival most Silicon worked with organizations and gov-
attention was our initial lack of under- Valley startups. With the exception of ernments to help identify and remove
standing of why it was there. From ana- Conficker’s variant E, which appeared infected machines. They continue to
lyzing its internal binary logic, there is in April and committed suicide on May provide government policymakers, the
little mystery to Conficker. It is, in fact, 5th, Conficker is here to stay, barring Internet governance community, and
a robust and secure distribution util- some significant organized eradication Internet data providers with informa-
ity for disseminating malicious binary campaign that goes well beyond secu- tion to better reduce the impact of fu-
applications to millions of computers rity patches. Unlike traditional botnets ture malware epidemics. Whether such
across the Internet. This utility incor- that lay dormant until instructed, Con- organized efforts can be sustained and
porates a potent arsenal of methods to ficker hosts operate with autonomy, applied to new Internet threats has yet
defend itself from security products, independently and permanently scan- to be demonstrated.
updates, and diagnosis tools. Its au- ning for new victims, and constantly
thors maintain a rapid development seeking out new coordination points References
1. conficker Working group Web site (June 2009); http://
pace and defend their current foot- (new Internet rendezvous points and
hold on their large pool of Internet- peers for its P2P protocol). However,
2. giles, J. the inside story of the conficker worm.
New Scientist Journal (June 12, 2009); http://www.
connected victim hosts. despite their constant hunt for new vic- newscientist.com/article/mg20227121.500-the-inside-
Nevertheless, knowing what it can tims, our Conficker A and B daily cen-
3. Krebs, B. Massive profits fueling rogue antivirus market.
do does not tell us why it is there. What sus (C is an overlay on prior-infected The Washington Post (Mar. 16, 2009); http://voices.
did Conficker’s authors plan to send hosts) appears to have stabilized at be-
to these infected drones and for what tween approximately 5 and 5.5 million 4. lemos, r. cabal forms to fight conficker, offers
purpose? Early speculation included unique IP addresses (as of July 2009).1
bounty. Security Focus (feb. 13, 2009); http://www.
everything from typical malware busi- Nevertheless, any new exploit (a new 5. Markoff, J. the conficker worm: april fool’s joke or
unthinkable disaster? Bits: The New York Times (Mar. 19,
ness models (spam, rogueAV, host propagation method) that Conficker’s
trading, data theft, phishing), to build- authors decide to distribute is but one conficker-worm-april-fools-joke-or-unthinkable-disaster/
6. Porras, P.a., saidi, h., and yegneswaran, v. conficker c
ing the next ‘Dark Google’,5 to fears of peer exchange away from every current
analysis. sri international technical report (apr. 4,
full-fledged nation-state information Conficker victim. It is most probable 2009); h ttp://mtc.sri.com/conficker/addendumc/#secu
warfare. In some sense, we are fortu- that Conficker will remain a profitable
7. Williams, c. conficker seizes city’s hospital network.
nate that it now appears that Conficker criminal tool and relevant threat to the The Register (U.K.) (Jan. 20, 2009); http://www.
is currently being used as a platform Internet for theforeseeable future.
for conducting wide-scale fraud, spam,
Phillip Porras ( email@example.com) leads sri
and general Internet misuse (rather is there Any Good news?
international’s cyber threat analytics effort that includes
the Malware threat center and Bothunter.
traditional uses with well-understood Yes. Perhaps in ways the Conficker de-motives). As recently as April 2009, velopers have not foreseen and certainly copyright held by author.