Page 163 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 163

Revisiting Conficker 10 Years Later

            What we learned and how it’s still impacting us today








            November  marked  the ten-year  anniversary  of  one  of  the  largest  and  most  infamous  self-replicating
            worms in modern computing history: Conficker. For those of you who may not remember, beginning in
            November  of  2008,  the  self-replicating  Conficker  worm  worked  its  way  across  the  Internet,  infecting
            Microsoft  Windows  operating  systems  in  as  many  as  9  million  enterprise,  government  and  personal
            computers, spanning more than 190 countries. At the time, I was on the front lines in the battle working
            as  a  Senior  Program  Manager  with  the  Microsoft  Malware  Protection  Center  (MMPC).  The  unique
            experience  has  impacted  my  approach  to  cybersecurity  ever  since,  and  I  thought  this  milestone
            anniversary would be a good time to look back at this exploit, what it taught us and how it continues to
            impact the industry today.



            Discovering the Vulnerability And Initial Response

            The initial zero-day vulnerability was first detected by Microsoft’s Trustworthy Computing team, which
            had, at the time, recently developed a new method for using telemetry data from crash reports to identify
            and trace unknown exploits. Once the MMPC team was made aware of the vulnerability, which became
            known as MS08-067 and was classified as being “wormable”, meaning that its exploitation could be used
            for self-replicating malware without any user interaction, our goal was to inform and protect customers
            as  quickly  as  possible,  while  at  the  same  time  collecting  data  to  determine  how  far  attacks  were
            spreading. Microsoft issued an emergency, out-of-band security bulletin and a patch in October of 2008,
            buts as with any exploit, the patch is only the beginning. We knew that once the zero-day knowledge was
            made publicly available, we were going to see a sharp increase in attacks. It was critical that we impress
            on our customers the severity of this vulnerability and urge them to update and protect their computers
            as quickly as possible.








                                 163
   158   159   160   161   162   163   164   165   166   167   168