Attacks/Breaches

12/7/2017
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Conficker: The Worm That Won't Die

More than nine years after it infected millions of systems worldwide, the malware continues to be highly active, according to a Trend Micro report.

The Conficker worm has become the malware that just won't die.

More than nine years after it was first spotted in 2008, the worm continues to be detected by anti-malware systems with enough regularity to suggest that it remains a potent threat for organizations, especially those in the manufacturing, healthcare, and government sectors.

In a report released this week, security vendor Trend Micro, which also calls the worm Downad, says its software has so far detected and blocked the malware some 330,000 times this year. That number is roughly consistent with Trend Micro's 300,000 Conficker detections in 2016 and the 290,000 or so in 2015.

The detection rates are well below Conficker's peak rates, when it was still young and new. In 2008, when it first appeared in the wild, Conficker infected an impressive 9 million systems worldwide, making it one of the most prolific malware samples of the year.

Even four years later, in 2012, Conficker notched up more than 2.5 million victims, putting it in the top malware category for that year, Trend Micro says. Since then, the number of infections has dropped substantially over the years as people have switched to more modern operating systems and better security tools. Still, in the past few years Conficker detections have held steadily at well over 20,000 per month, indicating it is still highly active.

No other malware has displayed this sort of longevity at this scale, says Jon Clay, director of global threat communications for Trend Micro. "Conficker seems to be the worm that won't go away. It almost seems like it is self-generating and self-propagating at this point. As such, it is difficult to fully eradicate it," Clay says.

Much of its durability has resulted from the continuing use of systems running, old, unsupported and unpatched Windows software. Most of Trend Micro's detections have been on systems running Windows XP, Windows 2000, and Windows Server 2003.

The three sectors where Conficker/Downad's presence can be seen the most are healthcare, government, and manufacturing. Organizations in these industries typically have tended to be slower to make technology upgrades compared with their counterparts in other industries. Many of the organizations where Trend Micro has detected Conficker have been in developing countries such as Brazil, India, and China, which are well known for their fast-growing economies and manufacturing sectors, the company says.

No Theft Involved
From an impact standpoint, Conficker/Downad does little of the stuff that modern malware does. It does not steal data, conduct surveillance, or spy on users. Rather, it infects systems for the sake of infection.

"Conficker is not meant for any profit," Clay says. "It is a worm, and its purpose is to infect as many systems as it can. There is no data-stealing component associated with it and no destructive payload."

When it was first created, the malware was meant to infect as many systems as possible. "Today, nothing has changed, it still tries to do the same," Clay says.

The worm propagates via removable media, network drives, and by attacking CVE-2008-4250, a flaw in the Server service in legacy Windows versions such as Windows 2000, Server 2002, and Server 2008. Though the flaw was patched in 2008, it still remains unpatched on thousands of old Windows systems worldwide. Trend Micro says that in October 2017 alone, it detected more than 60,000 systems with the vulnerability.

According to Trend Micro, once Conficker lands on a system, the malware puts a copy of itself in the recycle bins of all the drives that are connected to the infected systems network and removable drives. Conficker then takes actions that allow the malware to execute whenever a user browses an infected folder or drive. "It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts," Trend Micro said. Like most well-designed malware, Conficker also takes steps to prevent users from removing it from their systems, including in some cases preventing them from visiting the websites of antivirus vendors.

Conficker continues to pose a threat to older legacy systems, which in many cases are not patched or cannot be patched by an organization, Clay notes. An example of such a system would be one that is maintained by a third party on behalf of an organization. Legacy systems with embedded operating systems are vulnerable, too. Though such systems might be functioning properly, they may not be able to support a security agent, Clay says.

"In these situations, the best defense is to utilize network IPS technology that can detect the worm on the network and block it from being copied onto the system," he says.

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17177
PUBLISHED: 2018-09-18
An issue was discovered on Neato Botvac Connected 2.2.0 and Botvac 85 1.2.1 devices. Static encryption is used for the copying of so-called "black box" logs (event logs and core dumps) to a USB stick. These logs are RC4-encrypted with a 9-character password of *^JEd4W!I that is obfuscated ...
CVE-2018-17178
PUBLISHED: 2018-09-18
An issue was discovered on Neato Botvac Connected 2.2.0 devices. They execute unauthenticated manual drive commands (sent to /bin/webserver on port 8081) if they already have an active session. Commands like forward, back, arc-left, arc-right, pivot-left, and pivot-right are executed even though the...
CVE-2018-11869
PUBLISHED: 2018-09-18
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, lack of length validation check for value received from firmware can lead to buffer overflow in WMA handler.
CVE-2018-17176
PUBLISHED: 2018-09-18
A replay issue was discovered on Neato Botvac Connected 2.2.0 devices. Manual control mode requires authentication, but once recorded, the authentication (always transmitted in cleartext) can be replayed to /bin/webserver on port 8081. There are no nonces, and timestamps are not checked at all.
CVE-2018-11852
PUBLISHED: 2018-09-18
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, improper check In the WMA API for the inputs received from the firmware and then fills the same to the host structure will lead to OOB write.