Conficker Worm Case Study

Computer crimes are rampant in the world today, as computers and databases are being attacked to access and steal vital information from users. One computer crime that has received a wealth of attention in recent years is the creation of the Conficker Worm. The malware originated in 2008 and infiltrated the computer operating systems in millions of businesses, homes, and the government. Despite efforts by Microsoft, researchers, and the government to control the virus, the Conficker Worm is an important criminal act to study since it is still infecting computers throughout the world today.

The Conficker Worm was first introduced to the world in 2008. On October 23, 2008, Microsoft published a security bulletin which explained that a new computer virus could be acquired through the internet and most Microsoft Operating Systems would be vulnerable (Bortnik, 2010). These systems included Windows 2000, Windows XP, Vista, Server 2003, and Server 2008 (Izumaki, 2011). The bulletin took many people by surprise, as there had not been a severe computer virus out for several years. However, Microsoft warned about the strength of this virus, as most computers and operating systems were now severely vulnerable to its capabilities.

The strength of the Conficker Worm was extraordinary, as it was able to steal administrator passwords, usernames, and attach itself to cookies that are stored when visiting a website. Further, Microsoft (2013) found that the Conficker Worm was capable of locking out accounts and disabling security-related tools while rapidly reproducing. This gave users limited access to their accounts, and it left many accounts vulnerable to being accessed by unknown users. Also, with security-related tools now disabled, the result would be self-dissemination. The virus would rapidly reproduce and infiltrate the operating system, infecting and corroding all of the internal hardware in the computer.

By November of 2008, word of the Conficker Worm spread rapidly around the globe. It was now commonly known as the Conficker Virus, Downup, Downadup, and Kido (Burton, 2013). By December of 2008, reports confirmed that the Conficker Worm had infected 1.5 million IP addresses throughout 206 countries (Porras, 2009). Microsoft users from Asia to the United States were now experiencing some symptoms of the virus, as many were not updating their security protection tools. In addition, the virus was now found in the computers and databases in businesses, homes, and in government systems. Microsoft would now dedicate their time to looking into the source of the malware and to determining how to control and attack the cyberware.

Originally, Microsoft knew that the Conficker Worm was self-replicating malware that attacked the IP addresses of computers. However, on further review, it was determined that Conficker actually made use of domain names instead of IP addresses to attack computers (Piscitello, 2010). According to Burton (2013), once Conficker breaks through a firewall and it is installed on a computer, the malware will generate a list of 250 infected domains that updates every three hours. Then, the worm disables all of the computer's antivirus products and downloads these malicious files, which affects every aspect of the computer (Microsoft, 2013). Users are now unable to access certain controls on their computers or even use their computer, and if the user sends a file to another user, that file can now spread the worm. Unfortunately, Microsoft would soon learn that there were five variants of the virus that were attacking the operating systems of computers worldwide.

Extensive investigations and research on the Conficker Worm have determined that there are five variants of the virus. These variants are called Conficker A, B, C, D, and E (Iuzamaki, 2010). First, Conficker A penetrates a computer’s firewall and generates 250 infected domains for the computer to access, while Conficker B uses a dictionary to break passwords on a computer (Porras, 2009). Once the worm has successfully obtained these passwords, the worm is now able to infect the hardware and files of the computer. Then, Conficker C will disable the computer’s antiviral systems and send any website that it searched to the infected domains (Iuzamaki, 2010). Finally, Conficker D and E help with this process; however, Conficker E will continue to exploit and infect the entire operating system with malware. In all, these five variants will leave an operating system unusable and make other computers and databases within the network susceptible to being infected with the same malware.

By 2009, the effects of the Conficker Worm were staggering. In April of 2009, reports surfaced that the “losses generated by the worm may reach 9.1 billion” (Bortnik, 2010, p. 7). Further, roughly seven million business and home computers were now infected with the worm (McMillan, 2010). According to Schwartz (2012), Conficker was created to topple business networks, and when the business fails to rid Conficker from all computers in the business, repeat outbreaks will occur. This, in turn, led Microsoft to offer a reward to capture the culprits who created the malware. Microsoft offered a $250,000 reward to any individual who can uncover who is behind the creation and execution of the Conficker Worm (Grigonis, 2009). However, they did feel that the worm was being executed by syndicates in Eastern Europe, Southeast Asia, China, or Latin America (Finkle, 2009). Unfortunately, the reward was never claimed, and the worm now began attacking the operating systems used by pilots, police, and the government.

In 2009, the Conficker Worm was not solely confined to infecting the operating systems of businesses and homes. Instead, the malware began to attack the operating systems used by pilots to download their flight plans. In France, military fighter planes were unable to take off after the Conficker Worm attacked the computers of French Naval Staff (Willsher, 2009). Interestingly, France had been notified of the malware before the attacked occurred, but officials failed to listen to the warning and protect their computers. In addition, by January of 2010, police in England were cut off from their criminal database for three days when Conficker corrupted their computers (BBC, 2010). Fortunately, the department took measures to investigate the source of the worm and to remove the virus from all computers in the department.

Not only were pilots and police vulnerable to the Conficker Worm, but the government was also experiencing the consequences of the malware. Carr (2012) explained that government sites and military networks were also infiltrated and paralyzed by Conficker. Interestingly, the U.S. Department of Homeland Security decided to intervene, and they released a detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker computer worm (DHS, 2009). Further, the tool was also recommended for home computers, and users were able to obtain the software for free. Curiously, the software that was distributed by Homeland Security was not able to resolve the problem and the malware continues to rapidly spread, thus furthering the significance of this criminal act.

After presenting an overview of the Conficker Worm, there are three reasons as to why this criminal act is significant to study. First, historically, governments used botnets and malware to wage cyberattacks and warfare against others (Ok-Ran et al., 2011). However, in the case of the Conficker Worm, malware was used to infiltrate the operating systems of governments and militaries. This is a complete reversal of roles and one that may have caught the government off guard. Now, government agencies must use the intelligence that they hold to launch cyberattacks to protect themselves from being vulnerable from an attack.

The second reason as to why the Conficker Worm is significant to study is that it questions the reliability of internet software. The magnitude of destruction that the malware caused millions of businesses, homes, and agencies was staggering even though many of the operating systems in these entities were equipped with antivirus software. However, the Conficker Worm was still able to penetrate these firewalls and destroy databases, networks, and internal hardware of the computer. This now poses a challenge to researchers, designers, and businesses to find ways to increase internet security to prevent further attacks like this on their systems (Schmidt, 2012). Further, increased internet security would dramatically lower the economical toll that cyber warfare cost governments, businesses, and homeowners.

The final reason that makes the Conficker Worm a significant crime to study is that the malware led to the creation of a task force to eliminate the malware. Usually, computer software designers are in charge of creating antivirus software to protect the operating systems of computers and databases. However, in the case of Conficker, security software vendors, the intelligence community, and other security research organizations were unsuccessful at fully monitoring and analyzing Conficker (Piscitello, 2010). Therefore, a special group had to be created to monitor the worm. As Conficker Working Group (2011) explained, “Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker.” Unfortunately, as significant as this is to a cybercrime, the taskforce was not completely successful as controlling the virus due to the complexity of the malware.

While the Conficker Worm is a significant computer crime to learn, there are also three reasons that make the Conficker Worm case useful to study. First, the Conficker Worm case is useful due to the complexity of the malware. Shin et al. (2011) found that “the botnets of the Conficker worm are so diverse and complex that it makes this worm state-of-the-art” (p. 1). As the overview of the case highlighted, there are five variants of this worm, which increases the level of difficulty for researching this malware. Furthermore, Schwartz (2012) explained that once a computer is infected with the Conficker virus, the worm can remain dormant until it has access to the credentials that it needs to infiltrate the operating system. Nevertheless, if researchers can determine how to stop this intricate worm, then they should be able to apply their findings and protect computers with anti-malware software that is either similar in strength or weaker.

Next, the Conficker Worm is a useful criminal act to study since operating systems are still vulnerable to an attack from this malware. Elseiver Ltd. (2009) stated, “While the media storm surrounding the Conficker Worm may have died down, the problem of this particularly pernicious malware is far from over.” Although the Conficker Worm does not receive as much attention today as it did several years ago, the virus is still out there and it can attack vulnerable computers. Jose Nazario, a researcher with the Conficker Working Group, explained they are still working to try to find “Conficker’s master, as the problem is that the botnet’s operators have stayed away from Conficker and have not tried to reclaim it” (Rayworth, 2012). Therefore, the key to controlling this malware is still unknown, which leads many operating systems with either dormant Conficker viruses or the susceptibility to be invaded by the worm.

The third and final reason that makes studying the Conficker Worm case useful is that it can help computer users learn how to prevent their operating systems from being infiltrated by the malware. As previously reported, most computers are attacked by the Conficker Worm when antivirus software fails and a firewall has been penetrated. Fortunately, Microsoft (2013) offers several tips for preventing the Conficker Worm virus from attacking a computer or operating system. These prevention methods include using strong administrator passwords for all computers, making sure that all computers and operating systems have the latest security updates applied, and removing rights for sharing information on a computer (Microsoft, 2013). Learning and applying these prevention methods to an operating system should protect a computer from being attacked by this malware.

Overall, the Conficker Worm is a computer crime that is still affecting many users today. Despite efforts by Microsoft, researchers, and the government to control the virus, the Conficker Worm is an important criminal act to study since it continues to infect computers and databases throughout the world. While this case study is significant since governments were under attack from malware, the virus questioned the strength and reliability of internet software, and it led to the creation of a task force to eliminate the virus, it is also useful to study this complex worm in order to protect operating systems across the world. Nonetheless, it appears that the reward for the creators of the Conficker Worm is still available, and the chance of being infiltrated with this malware is also probable.

References

BBC. (2010). Conficker virus hits Manchester Police computers. Retrieved from http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8492669.stm.

Bortnik, S. (2010). Conficker by the numbers. Retrieved from http://www.eset.com/us/resources/white-papers/EsetWP-ConfickerByNumbers.pdf

Burton, K. (2013). The Conficker Worm. SANS. Retrieved from http://www.sans.org/security-resources/malwarefaq/conficker-worm.php.

Carr, J. (2012). Inside cyber warfare (2nd ed.). Sabastopol, CA: O’Reilly Media, Inc.

Conficker Working Group. (2011). Conficker working group lessons learned document. Retrieved from http://www.confickerworkinggroup.org/

DHS. (2009). DHS releases Conficker/Downadup computer worm detection tool. Retrieved from http://www.dhs.gov/news/2009/03/30/confickerdownadup-computer-worm-detection-tool-released.

Elseiver Ltd. (2009). Bonn discovers partial solution to Conficker infections. Network Security,(7), 2. doi:10.1016/S1353-4858(09)70083-2

Finkle, J. (2009). Conficker virus begins to attack PCs. Retrieved from http://www.reuters.com/article/2009/04/24/us-security-virus-idUSTRE53N5I820090424.

Grigonis, R (2009). Microsoft's $5,000,000 reward for the Conficker Worm creators. TMC News. Retrieved from http://ipcommunications.tmcnet.com/topics/ip-communications/articles/50562-microsofts-5000000-reward-the-conficker-worm-creators.htm

Iuzumaki. (2011). Case study: Conficker worm. Iforensic. Information Security and Computer Forensic. Retrieved from http://iforensic.wordpress.com/2011/11/05/case-study-conficker-worm/

McMillan, R. (2010). After One Year, 7 Million Conficker Infections. PC World, 28(1), 44.

Microsoft. (2013). Virus alert about the win 32/Confiker worm. Retrieved from http://support.microsoft.com/kb/962007.

Ok-Ran , J., Chulyun, K., Won, K., & Jungmin, S. (2011). Botnets: Threats and responses. International Journal of Web Information Systems, 7(1), 6 – 17. Retrieved from http://www.emeraldinsight.com/journals.htm?articleid=1917522.

Piscitello, D. (2010). Conficker summary review. Retrieved from https://www.google.com/

Porras, P. (2009). An analysis of confiker. SRI International. Retrieved from http://cs.uno.edu/~dbilar/11CSCI6621NetworkSecurity/04.22.11.BotnetsConficker.CSCI6621/FEA-402_FINAL.pdf.

Rayworth, D. (2012). Conficker Working Group claims that people are still being infected. SCMagazine. Retrieved from. http://www.scmagazineuk.com/conficker-working-group-claims-that-people-are-still-being-infected/article/263374/.

Schmidt, A. (2012) At the boundaries of peer production: The organization of Internet security production in the cases of Estonia 2007 and Conficker. Telecommunications Policy, 36 (6), 451-461. Retrieved from http://dx.doi.org/10.1016/j.telpol.2012.02.001.

Schwartz, M. (2012). 8 reasons confiker malware won’t die. Retrieved from http://www.informationweek.com/security/vulnerabilities/8-reasons-conficker-malware-wont-die/232901154.

Shin, S., Gu, G., Reddy, N., & Lee, C.P. (2011). A large-scale empirical study of Conficker. Retrieved from http://people.tamu.edu/~seungwon.shin/Shin_TIFS12_Conficker.pdf

Willsher, K. (2009). French fighter planes grounded by computer virus. The telegraph. Retrieved from http://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes-grounded-by-computer-virus.html