Conficker Hits the 7 Million Mark (and Computer Immune Systems)

Wow...Conficker has hit the 7 million infection mark. A year after being discovered a security firm now estimates that it has infected 7 million computers.

Most system administrators aren't too surprised at this. Anyone running a system connected to the Internet with just about any kind of server sees hits in their logs from systems that are infected with various worms, many of which are years old and patched back in the days of Windows 2000.

Conficker was a nasty but discoverable infection because in larger businesses and school there are often security measures in place to stop users from brute-forcing account passwords; this would mean that you would try to break into bob's account by using his username and guessing his password. Sit there long enough trying either random passwords (bobpassword, god, mypassword,...) or every iteration of the alphabet (a, aa, aaa,...abb, abc, abd,...) that eventually you get the password. Most corporations place a limit on the number of times you can screw up your password before the account is locked out and the user must call their IT department to reset it.

One method of spreading used by Conficker is to try random accounts and then fire away with a password brute-force attack, so then the school, business, or government agency suddenly finds most of their users locked out of their computer accounts. Of course this is a gross simplification; the Wikipedia article linked at the beginning of the post goes into detail on how this works and what variants used these methods.

So how is it that a worm, with known signatures, with known patches, with antivirus vendors and microsoft itself knowing how to remove it with its own malicious software removal tool, is still so virulent in the wild?

Several reasons are possible. One is that many of the infections are coming from pirated copies of Windows in use out there that are locked out of getting Windows Updates from Microsoft. Pirates don't tend to care about how their behavior affects other users out there, as long as they get their free fix of software to run their favorite software titles.

Another is that users are simply ignorant of keeping their systems updated. Despite the efforts to automate Windows Updates and make users pay attention to updating their systems, I still run into systems that are running old and outdated software, like the recent case where I had a system in our corporate lan configured by an outside agency that was running a "release candidate" (read: beta) of Service Pack 3, and after remedying that the PC was slammed with waiting post-SP3 updates. Home users are worse; they usually turn off their computers when not in use, so updates cannot be run overnight as they're usually automated to do (or run automated antivirus checks as many of those are defaulted to do), or dialup users turn off their connection to the Internet so updates can't be run.

Even when automated there are plenty of cases I run into where bugs and glitches with Microsoft's own updates end up breaking Windows Update, or installing update C means needing updates A and B installed first and often I've had Windows say it's done with Update A until it's rebooted...then it starts downloading update B, while the user thought he was completely up to speed with fixes.

In other words a home user needs to be diligent in keeping his system up to date and monitoring it for odd behavior. Most aren't. They expect their computer to be like a car or TV; an appliance that doesn't need any updating unless it directly affects them, such as not running the latest video game until they install a new driver. Since they're not interested in learning about how to be responsible with their computer in order to use it they write off such things as "I'm not a computer person" (which still doesn't stop them from using it).

Meanwhile these home users and ignorant corporate IT departments that don't maintain their systems are busy slamming other people on the Internet with their infected systems. It doesn't bother them that worms like Conficker are designed to take remote control of their computer for attacking other targets on the networks (such as launching a denial of service attack against a business) or stealing your personal banking information. As long as they can surf the web and read their email and play video games, they're happy.


Until computers gain some ability to use a self-protection system akin to an immune system, invisible to the user, and not requiring (or at least necessitating) online updates in order to heal, people will continue to blithely spread years-old worms and viruses. A sad state of affairs that is yet another reason I hesitate recommending any involvement in an IT-centered career at this point to new people (many of whom, I've found, also are spreading computer viruses through the same self-centered attitudes towards using their computers).