Researchers hunting for Conficker's Patient Zero

The Conficker worm has been making headlines for several months, thanks to periodic refresh cycles that have shifted both its attack vectors and its behavior once inside a system. Part of what makes the worm unique is that it takes advantage of a security flaw Microsoft had actually patched several months prior; any system with the MS08-67 security update was immune to Conficker.A’s initial attack. It’s been theorized that the worm initially latched on to a relatively small group of enterprise computers with long patch update cycles; researchers are now combing through data from the earliest stages of the worm’s existence, attempting to find the system or group of simultaneously infected systems that represent a digital Patient Zero.

The University of Michigan is using data from a series of darknet monitoring sensors first put in place by the Department of Homeland Security six years ago. When Conficker scans for potential victims—specifically, people who haven’t patched MS08-67—it does so in a particular way that can be (and presumably was) picked up when the worm first activated. Finding that first querying signal into the depths of cyberspace requires the analysis of a vast amount of information—PC World reports the team expects to search some 50TB of data to discover what it’s looking for.

The only reason it’s possible to do this kind of analysis on Conficker is because the worm did not include code aimed at blocking the DHS’ sensor network. Jon Oberheide told PC World that Conficker’s oversight was an unexpected break. “We were kind of surprised that it did this completely random scan, and didn’t blacklist our particular sensors,” Oberheide said. “If they’d done a little bit of research, they could have discovered our [network].”

This revelation is itself surprising. When the Bush Administration first proposed the installation of Internet-monitoring sensors, the issue caused a fair amount of digital churn between the usual suspects. Regardless of whether one is for or against the Department of Homeland Security monitoring Internet traffic, hopefully we can all agree that the network should at least be effective if we’re going to have one. The entire premise of a “darknet” sensor network rests on the idea that the monitoring takes place from an invisible, unknown location. If a “little bit of research” is all it takes to obfuscate the DHS darknet, it might be time for a few coats of black plaint, a new sheet, and a better duck blind.

The analysis project, if successful, could yield a wealth of valuable data on how a worm was able to spread from a small group of compromised systems into the wider Internet. Epidemiologists might also learn something valuable from the spread pattern—it’s been generally observed that digital propagation patterns map well to real-life infections/epidemics in at least some cases. Understanding Conficker’s infection history could help us understand and model the phenomenon known as herd immunity. In Conficker’s case, herd immunity did not protect the wider Internet from attack. Understanding why it didn’t could help security white hats design systems that resist the spread of “disease” more effectively.