A Strong Start
Conficker was first found in 2008 when it infected a number of honeypot networks. These networks are decoys that intentionally leave themselves open to malware to keep track of new variants and programs that are released into the wilds of the Internet. The program utilized an exploit present in the port used for file sharing and printer networking. Even if a user didn't take advantage of these options in Windows, the options were turned on by default, leaving the hole in their system open.
Conficker was a bit worrying, primarily because of its odd behavior. It reproduced itself with great speed and without any input from the computer's owner. This meant that if one weak link in the chain was infected, any other unprotected computer in the network would soon have it too. It could even automatically carry out dictionary password cracking to get onto locked accounts. The malware was heavily encrypted, using a new protocol that only a small upper echelon of the tech community knew about. The worm was also quite small, barely being larger than an average word document, and didn't seem to have any explicit behaviors written into it, except for a few odd traits.
Every day, the Conficker worm would generate a long list of domain names in a somewhat random fashion. Amongst hundreds of decoys, there might be a domain that was either owned by the worm's controller or infected and being used without the real owner's knowledge. The worm would run down the list it created and check for updates. If it found one of the right domains in its list, then it could install updates and potentially take new orders.
Every day, Conficker would create a list of domain names that it would check for updates and new orders. Normally this would be a home run for the anti-virus group. Domain names can be monitored or shut down, and it would offer their first real lead. Unfortunately, by adding hundreds of innocent and apparently random domain names, and changing the list daily, the worm could find and download its updates long before investigators could see which domains were actually supplying the updates and take any action.
It was also a fairly resilient program, tending to hide itself well. It was designed to not only disable updates for standard security programs, but it actually patched the vulnerability that it used so that other lesser malware wouldn't exploit it and raise suspicions. It even reset all of the system restore points to prevent a rollback. In short, it was a fairly hardy program.
The worst part, perhaps, was that it was deciphered that a major update, feared to be an “activation" code, was scheduled for April 1st, 2009 . Since millions of computers were believed to be infected, this could be a major disaster for users and networks around the world.