Skip to content

Trending tags

What we’ve learned from 10 years of the Conficker mystery

Jason Sattler

08.01.19 7 min. read

Conficker—AKA Downadup AKA Downup AKA Kido—is a network worm that infected millions of PCs beginning in late 2008. And as we pass through a number of anniversaries marking 10 years since this threat exploded around the world, it remains one of the most common malware infections in the world and the Conficker mystery has never been truly solved.

Maybe forgotten, but definitely not gone

The hype around the Conficker worm, which began to build up at the end of 2008 and hit an overdrive as rumors spread of something terrible coming on April 1, 2009, made headlines around the world. But industry action helped prevent the massive botnet the worm captured of millions of computers from fully being exploited.

While Conficker is no longer the more prevalent malware family detected by F-Secure Labs, as it was for much for this decade, the worm still tries to infect millions of machines every year.

Who was behind the Conficker worm?

Nearly a decade after Microsoft offered a $250,000 reward for “information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker” has never been collected. (That we know of.)

In 2018, Peter Yuryevich Levashov was extradited to the United States and pleaded guilty to running the Kelihos botnet. Some experts, Brian Krebs reports, see proven connections between Levashov and Conficker.

What was Conficker’s goal?

No one can say for sure. The threat was initially designed and the updated to spread to as many machines as possible, creating a massive botnet of zombie computers that could be used for numerous crimes including spreading spam and scareware, malware that pretended to be antivirus. But it was only used to infect users with scareware once, for brief time within months of the initial infection.

“It is likely that the Conficker Working Group effort to counter the spread did make it more difficult for the author to act with impunity, but the author did not seem to have tried his or her hardest,” the Conficker Working Group, formed by industry leaders including F-Secure to fight the threat, reported in its Lessons Learned report.

What did the industry learn from Conficker?

“People will start panicking,” said F-Secure’s Christine Bersasco. “Even when there is already protection.”

But the massive hype around Conficker didn’t just bring the industry together, it also had the perverse effect of introducing millions to basic concepts of internet security as broadband access, social media and smartphone adoption were all beginning to explode.

What did the criminals learn?

“Criminals learned to hide their command and control more efficiently along with the importance of proper opsec in their operations to stay under the radar,” said F-Secure’s Veli-Jussi Kesti. “They also learned that malware that gets too prominent will get cut down.”

Christine said that this taught criminals that you want to spread like Conficker, you need to profit from it immediately.

“But if the goal is to just be destructive, worms that automatically spread via network vulnerabilities are the best way to do it,” she added.

How could Conficker have been prevented?

On the surface, the answer to the question “How could Conficker been prevented?” is simple: update your devices with all available updates as soon as possible; we should run top-notch internet security in case criminals find new ways to exploit our machines; we should never plug a strange USB stick into our computers.These lessons are simple, but simple lessons are the ones most often forgotten.

People clicking on attachments well into the second decade of the 21st century helped bring on the ransomware explosion, which has since subsided somewhat. Security practices are still so lax that a network worms WannaCry and NotPetya inflicted billions of dollars of damage in 2017. Enough people still click on links in spam to make it the most popular way to spread malware—even as we near the third decade of the twenty-first century.

Where are we a decade later?

The rise of Conficker, and the way it has never quite fallen away completely, offers a fascinating look at cyber security as we enter 2019.

Here’s a look back at what may be the most explosive and pervasive malware threat in the history of computing—and what we’ve learned 10 years later.

Download the infographic.

Full Conficker Timeline:

August 20, 2008
A Trojan that exploits the same vulnerability Conficker would is spotted on a server in South Korea.

October 23, 2008
Microsoft releases an emergency critical security patch for MS08-067 Windows during the International Botnet Task Force meeting in Washington, DC.

November 20, 2008
Conficker Version A is released and detected the next day.

November 22, 2008
Microsoft issues an additional security alert recommending immediate patching of MS08-067.

December 1, 2008
Following instructions in the code, Conficker A-infected machines connect to trafficconverter.biz. The file that is supposed to be downloaded is not there

December 29, 2008
Conficker Version B is released on, and the same day the UK’s Sheffield Hospitals confirms that 800 of its computers are among the more than a million worldwide that have been infected with the worm.

“I thought to myself, how can this file work? But apparently it did.”
– Christine Bersasco, F-Secure

January 1, 2009
Conficker Version B begins trying to check in at 250 different web domains.

Over the next few weeks, the worm explodes making headlines around the world and exploiting millions of new machines.

“I do distinctly the remember the feeling of impending doom – what will this thing actually collect from the networks as final payload? I also remember the struggle of coming up with a generic detection for it, given that all the samples were produced through heavy use of server-side polymorphism.”
— Paolo Palumbo, F-Secure

February 12, 2009
Microsoft forms the Conficker Working group and offers a $250,000 bounty for information leading to the arrest of the worm’s creators.

The group gets to work registering all the available domains Conficker A and B attempt to connect with and pointing them at “sinkhole” servers. Tools that quickly identify if a machine has been infected with the worm are also spread widely.

“I think this was a big step forward in the modern way of fighting against malware and people behind malware.”
— Veli-Jussi Kesti, F-Secure

February 16, 2009
The worm’s authors respond with the release Conficker.B++, which doesn’t need to contact any web domains for updates.

Late February, 2009
Conficker C, the first major rewrite of the worm, is spotted. This version connects to more domains, increases defenses and adds “peer-to-peer” capabilities that allow infected computers to communicate over networks so they don’t have to reach any web domains to be updated.

Despite the industry’s best effort to downplay them, rumors of something big happening on April 1, 2009 begin to spread.

March 31, 2009
All PCs infected with Conficker C begin checking 500 web domains randomly selected from 50,000 URLS.

April 7, 2009
Conficker E is released aimed at infecting computers infected with Conficker C. It installs Waldec, “scareware” that imitates anti-virus software to extort money from users.

Suspicions that this version came from a third-party group that rented out the botnet seemed to be confirmed when this threat was revealed to include code that uninstalled itself and reverted back to version C on May 3, 2009.

Mid-April 2009
Conficker A and B has been locked out of all the known domains used for updates.  The hype around the April 1 rumors leads to massive press coverage and awareness of the threat and cybersecurity in general.

But the hype just didn’t live up to reality. As the sense that people had been pranked by the deadline grows, the worm continues to spread but the headlines around it quickly fade.

An estimated 5 to 15 million computers are infected in the initial outbreak.

September 2009
Stuxnet – sometimes called the “first cyberweapon”—is released.

Like Conficker, it exploits the MS08-067 vulnerability. Also, like Conficker, it is unusually complex.

Unlike Conficker, we ultimately discovered Stuxnet’s purpose—attacking Iran’s nuclear weapons program.

Sources: F-Secure “News from the Labs” blog; “The evolution of an extraordinary globe-spanning worm” by Byron V. Acohido; Conficker Working Group’s Lessons Learned;  Motherboard’s “The History of Stuxnet: The World’s First True Cyberweapon

 

 

 

Jason Sattler

08.01.19 7 min. read

Categories

Leave a comment

Oops! There was an error posting your comment. Please try again.

Thanks for participating! Your comment will appear once it's approved.

Posting comment...

Your email address will not be published. Required fields are marked *

Highlighted article

Hunting for AMSI bypasses

Wee-Jing Chung

16.07.19

10 min. read

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.