Conficker: ~687 Days Later presented at ZaCon 2

by Barry Irwin (Rhodes University),

Tags: Security Deep Knowledge

Summary : This talk examines the growth and evolution of the Conficker Worm release on 21 November 2008, exploiting the MS08-067 Vulnerability in the Microsoft RPC/Dcom stack. Nearly two years after the initial mass infection there are still in excess of 7 million systems still infected. While the Conficker Working group has done much in trying to foster an understanding of the worm, and subsequent resultant botnet, there are still a myriad of unanswered questions. We present a detailed analysis done on the initial outbreak looking at the Geopolitical origins of the Scanning (and possible target pre-selection) and worm spread in the days leading up to and following the recognised launch date of Nov 21st. An overview is shown of the following two years of traffic looking at both geo-political and topological origins - where are the infected hosts living in the physical and digital realms. We conclude with a comparison of 5 years of SQL slammer data, showing the natural extension phase that this 2003 malware is in. When will the Conficker extinction start.

Data used for this analysis is is collected using two passive network telescopes, located at Rhodes University, augmented with a large dataset from collected during November 2009.

Barry Irwin: Barry Irwin (bvi), cut his teath on IP before the net went commercial and vaxes still roamed the ether. He has been called a *nix greybeard ( despite the fact he still has no grey hairs). In a past life, he worked as a global firewall admin and network engineer, and currently herds cats^W^W erm grad students at Rhodes University in the wilds of the Eastern Cape where he heads up the Security and Networks Research Group. The last few years his gaze has been directed on topic and application of network telescopes. He is a zealous believer in the fact that packets dont lie people (and by extension applications) do, and goes about his days without owning a Mac. He prefers using operating systems that have Horns.