Conficker’s Real Lesson: It Was All Your Fault

Conficker worm timebomb

Conficker — the malicious worm expected to activate today — did not cause widespread computer meltdowns around the globe.

But considering that Microsoft patched the flaw five months ago, it’s not clear why Conficker ever became a concern to begin with.

So why was it an issue — and will it be an issue again?

The rise of Conficker, as an event and as a media phenomenon, has as much to do with user inaction as it does with the actual threat posed by the worm itself. The Conficker worm is proof positive of the fact that despite security updates and media reports, users can be the weak link in the security ecosystem unless motivated to action.

“Unfortunately the majority of the work that we are doing now is unnecessary if we had reacted quicker in the first place, patching immediately after the fix was released,” Wolfgang Kandek, Qualys’s CTO, told “The delay in applying the patch has lead to this widespread problem with millions of machines infected, and is something that we, the industry and the users, have to address.”

Fortunately, while many users didn’t patch for Conficker early on, all the media hype surrounding the April 1 activation date may have had a positive impact on mitigating risk.

“It doesn’t look like anything will happen today,” Matt Watchinski, senior director of the vulnerability research team at IPS vendor SourceFire, told “That doesn’t mean nothing won’t happen tomorrow. Since there is so much information out there about detecting Conficker, scanning for Conficker, etc., I’d say the hype around April 1st had some positive impact on decreasing the number of infected nodes. Even if it was a so-called ‘bust.'”

SourceFire is the commercial vendor behind the popular, open source SNORT IPS. SNORT is used to detect and intercept malicious traffic, and it can be used to identify Conficker-related traffic. Networking giant Cisco also told that it was using its own IPS tools to help identify and protect against any Conficker-related activities.

Domain registry vendors also stepped up to help in curbing the risks of Conficker. The worm uses the domain name system as part of its command-and-control network, but top-level domain (TLD) operator Afilias told that it had fought back by blocking some 300,000 domain names to date.

The worm, and the reaction to it, has offered some lessons for the industry, according to Afilias, a member of the Conficker Working Group — a group of TLD operators, industry leaders like Microsoft and ICANN, and security researchers.

“Conficker has continued to evolve since it was first identified,” Heather Read, senior director for communications at Afilias, told “We believe this is the first worm of this scale targeting domain names in such a public and massive way.”

[cob:Special_Report]”The response of registry providers and country code domain administrators has been overwhelming and proves the responsiveness of the Conficker Working Group,” she added. “The industry should begin thinking ahead to how to better coordinate to respond to Conficker-like attacks.”

While technology like IPS and the efforts of domain registries are positive themes in the Conficker storyline, the reality is that Conficker — though it’s yet to prove to be a doomsday worm — still exists and likely will for some time to come.

After all, older worms that have long since faded from the headline still persist.

“We still get IDS/IPS events for SQL Slammer, which is more than five years old at this point,” SourceFire’s Watchinski said. “If that’s any indication, I’m assuming Conficker won’t be stamped out completely for a long, long time.”

News Around the Web