Conficker & Our "Cold War" View of Malware

Conficker. How and why has it spread so successfully? If there's any kind of IT security threat service providers and businesses are prepared for, it's the mass infection worm or virus that overloads networks, mail servers and desktop computers with malicious consequences.  The ILOVEYOU virus, Jerusalem, Nimda, Melissa, Sasser, SQL Slammer, Blaster, Welchia, Sobig, MyDoom and Code Red are the kinds of mass attacks we've dealt with in the past. From those experiences we learned how to quickly identify large scale attacks, utilize technologies like intrusion prevention systems, put virus scanning software on mail servers (not just PCs), shut down networks and systems to limit damages and contain the attack, and deal with new monthly patching processes from Microsoft and most other software vendors to try and close security holes more quickly.

Most of the viruses and malware previously mentioned popped up and spread very quickly. I recall how SQL Slammer burst on the scene on a Friday afternoon, and how Code Red infected computers in waves as users came back to work after a normal weekend off. It was largely because of the experiences I had with Code Red, SQL Slammer and Blaster that I was a part of creating one of the first NAC (network access control) products in the industry while serving as CTO at StillSecure. You could probably claim that those same events led Cisco to coin the term NAC and then buying Perfigo to enter into the NAC market, why we no longer think of security just at the perimeter of the network, and why views like "trusted" and "untrusted" devices are largely antiquated.

We've been conditioned through these experiences to look for and expect the next "big attack". But massive attacks like Blaster, Sasser and Code Red don't happen much because we are prepared for them. Instead, attackers are taking much different approaches to developing malware. Conficker has focused on rapidly creating multiple concurrent variants, better techniques for evasion from detection like laying out false leads for security researchers, and most importantly, contains no malicious payload. Conficker has been very successful at spreading, in part because there's been no apparent negative consequences, so we haven't marshaled the resources to stop its spread. No harm, no foul - at least so far.

Conficker's two biggest threats are its phone home for instructions feature, and how effectively Conficker has spread. Its the threat of what it could do, whatever that might be, that concerns us. The perception is Conficker is the sleeper cell equivalent of a 911-type attack on our networks and computers, waiting to be awakened so it can bring upon some type of doomsday scenario. We've been conditioned through our past malware experiences to expect this kind of attack, which I refer to as our "cold war" view of security. But we're much less prepared for what Conficker was likely intended to bring on. 

The last thing Conficker wants to do is perpetrate a massive malicious attack. Conficker's worst scenario is to have us shutting down networks and systems to stop some malicious impact during a massive meltdown. Conficker would be much more effective by invoking many small, targeted, rapidly changing, concurrent attacks which occur in much more of a slow roll, spread out fashion. It also would be smart for Conficker to continue, and even amp up, its pattern of rapidly changing, multiple variations spreading and re-infecting machines. It's much more difficult to put out thousands of small randomly occurring fires, spread out all over and happening over an extended period of time. If it was one big fire, like the malicious attacks we're all to familiar with, we'd know just what to do and how to respond. 

Conficker's downfall may come about because it's been too successful at spreading to so many computers (though we're likely to learn its spread hasn't been as massive as the media has reported, much like as occurred occurred with Zotob.)  

Conficker is exploiting our biggest weakness: complacency when there are no tangible threats or immediate consequences. Maybe Conficker has gotten a little bit too much press, helping us to mobilize and try and get its spread under control before too many of those thousands of small fires begin to pop up.

Or maybe Conficker isn't intended for us at all, but rather machines with pirated Microsoft software which don't receive vulnerability patches, or those home machines with expired anti-virus subscriptions, disabled automatic updates or antiquated security products that haven't been upgraded in years.

Like this? Here are some of Mitchell's recent posts.

Mitchell's Book Recommendations: Also visit Mitchell's other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022