Gallery

Conficker's first birthday: how a year of havoc unfolded

Posted on 20 Nov 2009 at 14:01

Reports suggested that as many as 10 million Windows machines had been infected by Conficker as the new year rolled in, quickly followed by reports of some seriously worrying infections in places you might hope were better protected. On 6 January, the worm disabled a Ministry of Defence comms network called NavyStar, on 75% of the Royal Navy’s fleet. Also in January, reports emerged that hundreds of computers at NHS hospitals in Sheffield had been infected, with non-urgent appointments being cancelled as a result.

Marshalling the defence

Microsoft’s attempts to snuff out Conficker were – perhaps, through no fault of its own – clearly failing. So, on 12 February, Microsoft established the Conficker Working Group in an attempt to disrupt the spread of the worm and use of the resulting botnet. It also announced a bounty of $250,000 for information leading to the arrest and conviction of those responsible for Conficker.

However, only four days later a new variant (Conficker.B++) arrives, which attempts to circumvent CWG methods of disrupting communications. A fortnight later, Conficker.C is spotted which updates previously infected machines and turns them into P2P networks, with precise instructions on polling commands from a central pool of 50,000 domains at random. Even by the end of March, the security message is still not getting through as a leaked email reveals that the Parliamentary Network has been infected by Conficker.

April Fools

Conficker’s infamy peaked on April Fools’ Day, the day the botnet – with up to 15 million zombie PCs under its control – was expected to strike. But to the disappointment of the national news media, who’d been dragging security experts into the studios all day, absolutely nothing happened. In fact, the attention of the world’s media, security experts and law enforcement agencies may have persuaded the botnet’s controllers that a strike was simply too risky.

Although things have certainly quietened down as far as Conficker is concerned, there have still been reports of infections causing chaos. In July it was revealed Manchester City Council had been infected, costing the council as much as £1.5 million in clean-up costs. And only last month the network at Oxford Brookes University was taken offline following a 'sustained and significant' incident involving Conficker.

So, a year after it first reared its ugly head, is the Conficker worm still a danger? "Conficker is most definitely still a threat, even after a year," said Eric Sites, a member of the Conficker Working Group, in an exclusive interview with PC Pro. “It hasn't been used in large measure to disseminate malware attacks or ‘kill’ commands, but the unique ability it has shown to replicate and propagate itself through various means has made it very difficult to keep up with.”

This is one birthday that definitely offers no cause for celebration.

Author: Davey Winder