both  the  public  and  private  sectors  to  share  intelligence  and  work  to  mitigate  the  threat  together,
            something the industry continues to embrace today. We saw the positive impact that different groups
            working together can have on quickly remediating a threat. Allowing experts to communicate with each
            other rather than remaining in silos focused on their individual work is critical.


            One such technique that the Conficker Working Group  collectively used to disrupt the malware was
            sinkholing. Sinkholing is a technique used to commandeer domains that the malware was going to use.
            Beyond disrupting the ability of the malware to get commands from the remote server, it allowed the
            researchers to collect and analyze telemetry about the spread of the worm. It was through the reverse
            engineering of the Domain Generation Algorithm (DGA), which the malware used to utilise a different
            domain each day that the researchers were able to use the sinkholing technique to proactively take over
            these domains.


            Conficker also set a precedent in other areas. For example, Microsoft announced a bounty for information
            on  the  creators  of  this  worm,  something  which  had  not  been  done  before.  Yet  now,  bounties  for
            information on new zero-days have become commonplace, with many organizations offering their own
            bounty programs with the promise of reward that include anything from money to air miles.

            Innovation  was  key  in  the  successful  discovery  and  response  to  this  threat.  The  method  that  was
            developed by the Trustworthy Computing group to identify unknown zero-days was ahead of its time and
            allowed  us  to  learn  about  MS08-067  early.  If  this  method  for  analyzing  crash  reports  hadn’t  been
            developed,  then  MS08-067  may  have  been  discovered  much  later  when  exploits  were  much  more
            prevalent.  As simple as this advice may seem, Conficker also demonstrated the importance of making
            sure users patch their machines quickly, which can eliminate the risk of being impacted by known exploits.
            Many organizations also benefit from using scanning solutions and patch management from third-party
            vendors that can help them scan their entire environment and identify cases where there is insufficient
            patching.

            Cybercriminals learned a different lesson from the incident. Today, most malicious hackers try to not
            draw attention to themselves, using more discreet methods, such as Trojan horses, and smaller, more
            targeted attacks.  It would also be accurate to say that “wormable” vulnerabilities such as Conficker are
            now incredibly rare in popular software such as Microsoft Windows, meaning the cybercriminals had to
            turn to alternative methods and attack techniques. For example, exploit kits developed by cybercriminals
            to ease the task of infecting large numbers of computers. Other methods include malvertisement, server
            compromise and various social engineering tricks.



            What We Learned

            Although the machines infected as a result of Conficker were not used in a major cyberattack, it continues
            to  impact  us  today.  A  decade  later,  Conficker  can  still  be  found  on  networks,  infecting  unpatched
            computers. As recently as 2016, it seemingly rose from the dead to hijack Internet-connected medical
            devices  in  hospitals  and  help  steal  patient  data.  As  long  as  organisations  have  legacy  machines
            connected to the Internet that are not properly patched, it will continue to spread, albeit at a slower pace








                                 165