Conficker found its way to 60 Minutes last night and now I have friends wanting to know more. While looking for materials to pass along, I found two great articles by Elinor Mills of CNET News this morning that follow along with my previous entry about “The Good Old Days of Conficker”. The first is her March 25 article that gives a good overview of the Conficker worm. The second is her March 28 look back to the 10 year anniversary of the Melissa virus . Look at the last question at the end of the Melissa piece about comparing Melissa to Conficker.
Reading through Elinor’s timeline piece it struck me that Conficker is being developed in what has the appearance of an actual software development process like any application or software product. The different versions (.B, .C) are in fact releases of the product that are being deployed at regular intervals to “enhance” the worm. The group behind this may be so organized that there is a Conficker roadmap with a release schedule. Shoot, there may be arguments amongst the Conficker dev team about the merits of waterfall versus iterative design as they converse before the next developer’s meeting of the coming 3/31 code drop.
It is not that farfetched. Cyber crime is clearly more organized, so it is logical to think their processes are equally organized. Some of you that have done orderly software design may be thinking that this may offer the world hope for endpoint security, as some form of organization and rigor are often seen as the culprit for slower development cycles and delays. Ultimately though, the Conficker developers still have agility on their side, as they do not have to worry about integration testing, user interface design, downward compatibility, documentation, and any of the hundred other things that slow development cycles. I am also quite sure they do not have a helpdesk, so development does not have a long list of bugs to address.
My point? When we think about cyber crime being funded and organized, I am not sure we think about cyber criminals developing attacks with deliberate rigor. But that may be exactly what we are up against. It is no longer well funded, smart companies against a rogue hacker. It is well funded smart companies against equally well funded, smart organizations executing against a maliciously intended roadmap.
Click here to subscribe
[...] still take far too long to close well known, dangerous gaps in their security. Second, the sophistication of the worm, the command and control structure and its evolving nature all are illustrative of the growing [...]