Skip to main content

Conficker, One Year On

I’ve seen a few articles popping up about Conficker and how damaging it was and how we handled it. Conflicker was first detected in November 2008 and It exploited several flaws in the Microsoft Windows Operating Systems to establish a connection with a cloud based virtualised administration console.

The authors simply wanted to create a large botnet, which could provide a foundation for DDoS attacks. These bots or zombie machines would be controlled remotely allowing commands to be executing in the background without the knowledge of the user.

To increase the distribution of the worm Conficker exploited a vulnerability in the Server service (opens in new tab) to infect and self propagate. Once infected, a machine could then infect other machines on its network as well as jumping greater divides by distributing as a self executable on a memory stick. These methods were very effective in propagating the worm across networks faster than action could be taken to counteract it.

Conficker's effects to private and public sector organisations were huge and created an impact to normal activities as it was necessary to put quarantining procedures in place to stop any further spread.

Globally it was reported that significant outages were being caused in business and government bodies. One example was a number of French military aircraft having to be grounded because they were unable to download flight plans because of Conficker.

Ironically Conficker was actually preventable because Microsoft had issued a patch weeks before the worm started to take hold. This just highlights how important it is for organisations to make sure their systems are maintained properly and fully patched to manufactures recommendations.

Ideally a central patch management solution can be used to make sure this is managed properly and you have true visibility on the posture of computer assets.

The main goal of the authors was to create a DDoS network while minimising damage to the infected machine. This means that if there is a next time the impact could be multi-pronged causing malicious and costly damage as the worm propagates through the system and perhaps targets sensitive data and utilises its own transport mechanism to release this to the public domain.”