So April One has come, and largely gone, and Conficker has not torn asunder the fabric of society as predicted. But this story is far from over, and while we exhale that the infrastructure of our world is still intact, we do need to consider some important thoughts regarding this attack.
First, Conficker escaped detection and infected a significant number of machines before anything could be done to stop its spread. Depending on whom you believe, Conficker is sitting on millions of machines, which is remarkable given that it did nothing extraordinary to propagate itself. In fact, it confounded the experts because it seemed disinterested in propagation. But the fact remains that it made it past the many layers of defenses on a considerable number of machines.
This is not the first wake-up call that current detection techniques are quickly becoming obsolete, but it sure is a loud and public call. Unrecognized threats will continue to increase in frequency and complexity, and counting on 20 year old technology to defend endpoint machines is not an effective strategy.
Second, while we have identified it and stopped its spread (we think), it is still sitting on these millions of machines. What interest Conficker lacks for propagation, it makes up for in abundant interest in survival, phoning home for updates to evolve and evade the efforts to thwart it. I came across John Pescatore’s Gartner Research on Conficker and while he believes the April 1 threat is a non-event, he does see the existence of the worm on millions of machines a serious problem that must be addressed. There are techniques to isolate infected machines, but with no viable remediation techniques available, the best someone with an infected machine can hope for is to re-image the machine and start over. The Conficker clean-up is non-trivial folks, and has yet to really begin.
Third, since it is sitting on all of these machines, phoning home for new instructions and evolving to evade detection and remediation, the real damage may be yet to come. The big shift in malicious attacks has been the evolution of the hack for attention and the hack for long term financial gain. For every bit that yesterday’s hacker craved attention and notoriety, the cyber criminal of today craves stealth and a lack of detection. April 1 apocalyptic warnings were welcome fodder to the press, but this worm was built for the long term, and the damage it may likely cause will not be spectacular and public, but slow and deliberate to maximize impact while minimizing the chance for detection.
It was Churchill that noted that man often stumbles onto the truth, but too often picks himself up and carries on as if nothing happened. People much smarter than I believe that Conficker is a real taste of the future of cyber crime, and we have tripped over it in a big way. Time will tell if we return to our false sense of security and carry on as if nothing happened, or use this as a real marker in how we go about defending endpoint computers.
Click here to subscribe
[...] blog today about day after the April 1 Conficker hype. I agree with his take, which mirrored my post from yesterday. Conficker was not built to be a public spectacle – it was built for the long term and while [...]
[...] would stir, there was rampant speculation as to what it would do. Conficker appeared to be readying for something big on April 1 and the speculation became somewhat comical as predictions ranged from minor attacks to global [...]