It snuck onto millions of computers in just a few months, and has been called "one of the most sophisticated pieces of malignant software ever seen" - but what, exactly, was the Conficker Worm all about? A new story explains.
New Scientist has a wonderful indepth article about how the Conficker Worm worked its way around the internet, and the steps taken by various internet security professionals to try and stop it:
Every day, the worm came up with 250 meaningless strings of letters and attached a top-level domain name - a .com, .net, .org, .info or .biz - to the end of each to create a series of internet addresses, or URLs. Then the worm contacted these URLs. The worm's creators knew what each day's URLs would be, so they could register any one of them as a website at any time and leave new instructions for the worm there.
It was a smart trick. The worm hunters would only ever spot the illicit address when the infected computers were making contact and the update was being downloaded - too late to do anything. For the next day's set of instructions, the creators would have a different list of 250 to work with. The security community had no way of keeping up.
No way, that is, until Phil Porras got involved. He and his computer security team at SRI International in Menlo Park, California, began to tease apart the Conficker code. It was slow going: the worm was hidden within two shells of encryption that defeated the tools that Porras usually applied. By about a week before Christmas, however, his team and others - including the Russian security firm Kaspersky Labs, based in Moscow - had exposed the worm's inner workings, and had found a list of all the URLs it would contact.
The back and forth between the Worm's creators, constantly reworking their code to get around the latest security upgrades, and the people working to break the Worm once and for all, is the kind of thing that nerdy blockbusters are made of - even if it ends on an unsatisfying moment that allows both sides to claim victory. What may be most eye-opening, however, is the suggestion that the Worm itself was just misdirection to make security experts look in the wrong place at the right time... and that the entire thing was just laying the groundwork for other people to make money. Go, read and feel very insecure about your Microsoft Updates.
The inside story of the Conficker worm [New Scientist]