A worm exploiting MS08-067 has emerged. The initial variant — being called Conficker, Downadup, or Kido depending on the source — appeared earlier this week and is propagating rapidly. The cumulative trajectory matches expectations from earlier post-patch worm waves; specific operational lessons apply.
This is a longer post because the worm is significant and the structural patterns deserve treatment.
What Conficker A does
The technical mechanism combines several elements that have been emerging across recent years.
MS08-067 exploitation for propagation. The worm scans for hosts vulnerable to the Server Service vulnerability and exploits them to install itself. The propagation is automatic; no user action required.
Removable-media propagation. The worm copies itself to removable drives (USB sticks, network shares) with autorun.inf entries. Connecting an infected USB stick to a clean host runs the worm.
Network-share propagation. The worm attempts to spread to administrative shares using weak passwords. Specific dictionary attacks against ADMIN$ and similar shares produce additional propagation.
Domain-generation algorithm for command-and-control. The worm generates pseudo-random domain names (250 per day) and attempts to connect to them for command-and-control updates. The DGA approach is structurally different from earlier hardcoded-domain or peer-to-peer architectures.
Anti-detection features. Specific anti-debugging, specific anti-virtualisation, specific patches to Windows DNS lookup to block antivirus update domains. The cumulative engineering effort is substantial.
The combination is structurally novel. The DGA approach is the most significant single innovation; specific cumulative engineering across all properties produces operational durability.
Why the DGA approach matters
Three observations.
The traditional takedown approach does not work directly. Earlier worms used hardcoded command-and-control domains that could be taken down through registrar coordination. The DGA approach generates 250 new domains per day; takedown of any specific subset is structurally insufficient.
The defensive response requires DGA prediction. Specific defenders can compute the same pseudo-random domains the worm generates; specific subsequent registration of those domains by defensive parties (sinkholing) can disrupt command-and-control. The defensive response is operationally feasible but requires sustained discipline.
The cumulative botnet population becomes operationally durable. A worm with DGA-based command-and-control that has reached substantial size is structurally hard to dismantle. Specific operators may continue to extract value from the population for years.
The cumulative trajectory: bot architecture continues evolving toward decentralisation. DGA, peer-to-peer, fast-flux DNS — each generation defeats the defensive responses to previous generations.
What is happening
The cumulative pattern from the past few days:
Substantial early propagation. Estimated infected hosts already in the hundreds of thousands; specific subsequent growth is rapid.
Specific high-profile compromises emerging. Specific organisations with unpatched Windows infrastructure have surfaced internal infections; specific cleanup is in progress.
Industry coordination is forming. Specific researchers and specific defensive infrastructure operators are coordinating around DGA prediction and sinkholing. Specific subsequent operations may bound the cumulative impact.
The cumulative effect: a substantial worm event in the structural pattern of Sasser, Blaster, Zotob — but with architectural innovations that may make the cumulative response harder.
What operators should do
For organisations running Windows infrastructure:
Apply MS08-067 if not already. The vulnerability is the entry point; specific patched hosts are not part of the propagation.
Disable autorun for removable media. Specific Group Policy settings disable the autorun behaviour that supports USB-based propagation. The cumulative discipline matters.
Strengthen administrative-share passwords. Specific weak passwords on admin shares support dictionary-attack propagation; specific subsequent strengthening reduces the cumulative attack surface.
Block known Conficker C&C domains. Specific domain lists are being maintained by security researchers; specific blocking at DNS or web-proxy level disrupts compromised hosts' command-and-control.
Audit for compromised hosts. Specific signatures are widely available; specific monitoring identifies internal compromise.
For organisations with significant Windows 2000 estates:
The migration urgency continues. Windows 2000 hosts that cannot be patched (because of compatibility constraints) are particularly vulnerable. The cumulative trajectory points toward continued worm-targeting of older Windows.
What I am observing at Gala Coral
The general pattern (with appropriate confidentiality):
Patching held. No internal compromise from the worm to date.
Scan activity is elevated. Inbound scanning has spiked; the patterns match Conficker propagation.
Industry coordination is operational. Specific cumulative cross-operator information sharing has been substantive across the past several days.
The mature operational discipline produces bounded operational impact during incidents like this.
What I am paying attention to
Three things over the next several weeks.
Cumulative scope of Conficker propagation. Specific tracking metric. The worm is likely to grow substantially before defensive responses bound it.
Subsequent variants. 95% probability. The worm authors will iterate; specific subsequent variants will appear.
Industry-coordination effectiveness. 60% probability of meaningful disruption. The DGA-prediction and sinkholing approach may produce measurable disruption; specific operational outcomes are uncertain.
For my own continued writing: continued tracking of Conficker. The cumulative archive grows.
More in time.