14 of 17Image
Conficker is the poster child for modern malware.
Its original incarnation in late 2008 exploited a vulnerability that had been patched a month earlier, but because many Windows users are slow to apply patches, it was extremely effective.
But its particular genius was the way it used a Windows feature called AutoRun, along with social engineering, to spread like wildfire. As the dialog box above shows, Conficker spread by infecting ubiquitous USB flash drives (another technology that didn’t exist at the beginning of the decade). It convinced unwary users to click an innocent-looking option in the AutoRun dialog box that appeared when a USB drive was inserted into a PC.
To add insult to injury, it then used a simple dictionary attack to find administrator accounts on the network that used pathetically weak passwords like letmein and 123456 and asdfgh and Admin. Turns out there’s a lot of lazy admins out there.
Microsoft’s response in February 2009 included a $250,000 bounty for identifying the Conficker authors. It closed the USB Autorun hole in the initial release of Windows 7 but didn’t deliver the equivalent patch as a Critical update for Windows XP and Vista until early 2011.
Microsoft and a loose amalgamation of security professionals called the Conficker Working Group shut down the Conficker botnet by taking over its command-and-control servers through legal processes. Today, there are still several million Conficker-infected PCs, but their ability to be controlled by evil forces is long gone.
Why did it take so long for Microsoft to include effective, free antivirus software as part of Windows? Blame the 2001 United States versus Microsoft antitrust settlement, which severely restricted the company's ability to bundle software with Windows if that software would compete with third-party products.
Through the decade, Microsoft slowly introduced various antimalware solutions. Windows Live OneCare was a paid product, and Windows Defender (included free with Windows Vista) blocked only adware and spyware.
Microsoft Security Essentials was the first free full-strength security product from Microsoft, based on the same engine as the enterprise-grade Forefront product. Its successor will be included by default in all editions of Windows 8, using the well-established Windows Defender brand name.
These closely related malware families represent a disturbing trend. Yes, there are competent programmers behind these Trojans, which specialize in stealing information about online banking accounts. (Brian Krebs has done an exceptional job of documenting the workings of these bad actors.)
But what’s new and different is that the malware authors have essentially franchised their work, selling the results as crimeware kits that even a non-programmer can use. Some experts estimate that the Zeus/SpyEye botnets have lifted more than $100 million from innocent victims.
Fortunately, a very aggressive worldwide legal effort led by Microsoft has taken out the most aggressive of these botnets, and the survivors have to be feeling a little nervous. Legal proceedings have become an increasingly effective part of Microsoft’s response to malware, especially in persistent cases like this.