Conficker Malware's Security Lessons

All I read about the Conficker malware was that it had sleeper instructions that it would unleash which would either disrupt the Internet generally, steal proprietary information or even attack sites for selected businesses on 1st April this year. Since that day passed without much visible effect, it is clear that that may have been either a red herring or that digital Armageddon is postponed for a later date.

Farad Manjoo's piece in the Slate Magazine dissects the worm quite clearly for a person without in-depth understanding of computer code writing and the effects of worms generally. What emerges from this is that no doubt the worm is written by a set of people with cutting edge skills and who understand the inherent weaknesses in the Internet and the economics of the software industry. This is because the malware relies on the fact that many PC users do not update their software that as regularly as would be ideal. This behavioural failure then makes the propagation of that or any other malware nearly impossible to stop.

While Farhad does not stress it enough, it is also clear that a successful fight against piracy may actually predispose the Internet to dangers from contagion with malware like this. The reason being that pirated copies of the most Microsoft software are unable to receive security patches. By keeping out the people who install pirated copies of software, the vast majority of whom are from low income countries, the developers of Conficker are sure that they will infect a minimum number of PCs that would allow the proliferation of the malware into other machines.

To my mind therefore, it becomes ironical that a mechanism that is designed to reduce software piracy is in turn leading to the unintended consequence of propagating insecurity of software for all. This trade off shows that the mechanism for the response to worms and viruses is demonstrably ineffective. As I stated in a blog post, it will not be useful to spend money in apprehension of the developers of the malware. Instead,that money should be dedicated to preemptive action in determining the security gaps in ubiquitous software and operating systems so that they may be plugged.

But the clearest response now is to review the architecture for enhancing Internet security. Since the largest growth in Internet users will invariably come from the lower income countries, the use of pirated software shows that none is safe. As Bruce Schneier has argued convincingly in this post, it may be time to consider Internet security as a public good and subsidize its development. The reality of the economics of the industry show that the real incentive to develop more robust operating systems does not exist. In sum, that the developers of the Conicker malware merely demonstrates that the incentives for software security developers and the developers of dominant operating systems are not aligned to improving overall security and failure to take this message will mean that the April Fool's joke is due in the future.