Q&A: Why Conficker was a victim of its own success

 

Gallery

Posted on 20 Nov 2009 at 12:14

Eric Sites is well known in the IT security business as CTO of Sunbelt Software. He’s also a member of the Conficker Working Group, which was established in February 2009 with a brief to combat the Conficker worm.

With a collaborative and global approach from technology industry leaders and academia, the CWG was facilitated by Microsoft, but relies upon the collective expertise that has driven an unparalleled global security response. We asked him how the team dealt with the biggest threat to IT security in recent history.

Q Looking beyond the hype, what was truly innovative about Conficker?

A Actually, there were really no "new" techniques used in Conficker, but the creators certainly used some sophisticated methods, including an encryption algorithm that had just been unveiled by Ron Rivest of RSA at the time. By combining multiple known techniques, including auto-run programs to infect USB keys, the worm was able to replicate itself without direction from its creators, which facilitated the spread. Companies were cleaning the same PCs several times only to see them re-infected. It was one of the most persistent worms we've seen to date.

Q So why was it actually created, and do you think that its success might have taken its creators by surprise?

A At this point, there's no doubt that the goal of Conficker wasn’t to do any immediate harm, but rather to create a botnet army and a platform that could be used for other attacks. The goal was likely to create something that could be "rented" by cyber criminals or even cyber terrorists and used for any number of reasons.

However, the creators were likely surprised by how successful Conficker was, as it took on a life of its own. The amount of media hype it has provoked and the attention it has drawn from law enforcement may result in it not being used at all. Any activity is being tracked by quite a few watchful eyes and the creators will be very careful not to draw attention to themselves for fear of being caught. This could make Conficker useless to them at this point. And the example it has set will make other attackers and malware writers incredulous about creating another "mega-bot."

It has been a technical success beyond imagination, but a business failure so far in terms of the rewards the creators likely intended to reap.

Q Did the media hype machine, ironically, help neutralise the Conficker threat?

A As I said before, the creators likely didn't plan for the level of panic that Conficker prompted. Most botnets aren’t recognised by the average consumer computer user, but Conficker became a household name, and the amount of news coverage it received was the only way that anyone outside the security industry would have learned about it. The press also upped the ante for global law enforcement to focus on finding the creators, making any action on their part very dangerous.

Q Could Conficker be the last "mega-bot" we ever see as a result of all this attention?

The goal was likely to create something that could be "rented" by cyber criminals or even cyber terrorists

A Botnet armies and hacking techniques are not meant to be seen or heard for the most part. The most successful cybercrime is designed to be parasitic, striving to survive for long periods of time – undetected - and slowly siphon from bank accounts, sensitive data stores, etc. Conficker's notoriety has shown that the bigger the bot, the less effective it may end up becoming. Too much attention means little activity and little gain.