Conficker: A 10-year retrospective on a legendary worm

This November marked the 10-year anniversary of Conficker, a fast-spreading worm targeting Microsoft systems that went on to claim one of the highest levels of infection in history. Millions of computers were eventually infected by the worm, including hospitals across Europe as well as ordinary consumers.

Looking back to my time helping to defeat the worm however, it is apparent that the outbreak also helped to elevate the security industry and shape many of the security practices we now take for granted.

Conficker emerges

Winding the clocks back to November 2008, I held the position of Senior Program Manager at the Microsoft Malware Protection Center (MMPC) in Redmond, Washington. I had been with the team for five years by the time Conficker broke and was heavily involved in coordinating responses to major security events.

Like many worms and viruses at the time, Conficker was made possible by a vulnerability in Microsoft Windows, which was addressed by security bulletin MS08-067. However, once released, the patch made it possible for many more hackers out there to reverse engineer it and figure out what the vulnerability exactly was and how to exploit it. The result was one of the biggest security events during my 15 years with Microsoft.

What made Conficker so dangerous?

One of the reasons Conficker was such a serious incident was its scope. The vulnerability patched by MS08-067 affected the vast majority of Windows computers – hundreds of millions of devices around the world.

More frightening still was its ability to replicate and spread rapidly to new machines. The first version of Conficker to emerge didn’t self-replicate, so the overall number of infections was limited, but the second variant which appeared a while later was fully self-replicating. The group behind Conficker was constantly working on updating the worm, and we eventually catalogued five different variants in the following few months, going from Conficker A to E.

Armed with full self-replication capabilities, Conficker was not only able to compromise devices, but infect any vulnerable remote computers accessible from that machine. This ability was fully automated – the attacker did not need to carry out further social engineering attacks, and no interaction was needed from the user. Conficker B also added the ability to spread via removable media and network shares.

Lessons learned from dealing with the threat

Along with the work of the MMPC, the scope of Conficker saw the security industry rallying together in a remarkable way. Researchers from many different companies joined together to form the Conficker Working Group, dedicated to sharing information that would enable us to defeat the worm. We had frequent calls, and a constantly updating mailing list to keep information flowing. The level of cooperation between these different researchers had a hugely positive impact in stopping Conficker’s rampant spread.

Perhaps the most important breakthrough was the idea of sinkholing. As a botnet, Conficker relied on a connection to a central domain to get its commands. Being canny, the attackers programmed the malware to connect to a different domain each day. Those domain names were generated dynamically, effectively making it a lot harder to take them down.

However, by reverse engineering the domain generation algorithm (DGA), it was possible to work out what domains would be registered next. The Conficker Working Group then took over the domains in advance, and when the bots connected, they were not sent any commands – stopping them from functioning. Furthermore, the sinkholing allowed telemetry to be gathered regarding the spread of the worm.

Microsoft even posted a $250,000 reward through a bug bounty program, a fairly new concept at the time, for significant information that would lead to the arrest and conviction of the creators of Conficker. Conficker strongly demonstrated the value of communication in dealing with threats. As well as the members of the Conficker Working Group keeping information flowing internally, a great deal was also shared with the wider security community and general public.

Lessons still being learned

Microsoft’s own responsiveness and ability to quickly resolve exploits has benefited from Conficker. Although Microsoft still regularly releases bulletins for patch updates, it is extremely rare to see a malware outbreak as a result, and nothing has matched Conficker in the last decade.

However, while the software and security industries have taken some of the lessons of Conficker to heart, many organisations still have some way to go. Patching hygiene in particular is still very poor in many places, particularly in public sector bodies such as hospitals which are often using old machines and lack the organisation and resources to ensure that they are properly managed and regularly updated. Last year’s infamous WannaCry and NotPetya ransomware attacks were only effective because so many organisations had not applied a patch, even though its EternalBlue exploit has been publicly known for one and two months respectively.

Vulnerabilities in Microsoft Windows as severe as MS08-067 have become very rare. Some may say that none exists anymore, and we are unlikely to see another incident on this scale in the future. However, until organisations, and especially the public sector, optimize their patching; attackers will be given easy vectors to attack their systems.