Q&A: Why Conficker was a victim of its own success

 

Gallery

By Davey Winder

Posted on 20 Nov 2009 at 12:14

Q How did Conficker encourage collaboration within the security industry - surely that existed already? At least that's what the security industry has been saying for the past decade.

A Conficker showed how strong the security community really is and how quickly it can react. There was an immediate collaboration among the top AV researchers and vendors, and the Conficker Working Group was created in short order as a think tank and a mechanism for sharing what we were all learning.

Although we probably won't see a threat of this magnitude for some time, if ever again, I certainly expect that this collaboration will continue. We have a vested interest in helping each other as we battle the cyber-criminal element together.

Q What, if anything, has Conficker taught us about security patching?

A Conficker highlighted a major problem that exists in the security industry; it brought to light the fact that shockingly few people actually patch their systems on a regular basis. Despite the fact that Microsoft came out with a patch in October 2008, before Conficker took hold, the numbers of infected skyrocketed and continue to be very high.

Q Does the Conficker story reveal anything new or evolutionary about hackers and virus writers?

Conficker is most definitely still a threat, even after a year

A Conficker was an indication that hackers know that patching is actually a vulnerability in most organisations. We'll see more and more virus writers creating attacks for already-patched vulnerabilities, knowing full well that their victims have ignored the patches and are still vulnerable.

Q How successful, in practical terms, has the Conficker Working Group been in disrupting the spread of the worm?

A The members of the Conficker Working Group have been meeting via phone on a weekly basis for the past year to discuss the latest developments with Conficker (new variants, cleaning techniques, etc), and to share with the rest of the group what they are seeing in their own research. CWG also advises all levels of law enforcement on any new leads they pick up in the search for the worm's creators. By trying to clean as many PCs as possible, promoting patch management, and bringing attention to the severity of Conficker, they've been able to stem the tide.

Q So, is Conficker dead? Should PC Pro readers be worried a year on?

A Conficker is most definitely still a threat, even after a year. It hasn't been used in large measure to disseminate malware attacks or "kill" commands, but the unique ability it has shown to replicate and propagate itself through various means has made it very difficult to keep up with. Enterprises should continue to implement security patches and home users should be wary about using infected USB keys or downloading malware through malicious links or sites.