Attacks/Breaches

12/7/2017
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Conficker: The Worm That Won't Die

More than nine years after it infected millions of systems worldwide, the malware continues to be highly active, according to a Trend Micro report.

The Conficker worm has become the malware that just won't die.

More than nine years after it was first spotted in 2008, the worm continues to be detected by anti-malware systems with enough regularity to suggest that it remains a potent threat for organizations, especially those in the manufacturing, healthcare, and government sectors.

In a report released this week, security vendor Trend Micro, which also calls the worm Downad, says its software has so far detected and blocked the malware some 330,000 times this year. That number is roughly consistent with Trend Micro's 300,000 Conficker detections in 2016 and the 290,000 or so in 2015.

The detection rates are well below Conficker's peak rates, when it was still young and new. In 2008, when it first appeared in the wild, Conficker infected an impressive 9 million systems worldwide, making it one of the most prolific malware samples of the year.

Even four years later, in 2012, Conficker notched up more than 2.5 million victims, putting it in the top malware category for that year, Trend Micro says. Since then, the number of infections has dropped substantially over the years as people have switched to more modern operating systems and better security tools. Still, in the past few years Conficker detections have held steadily at well over 20,000 per month, indicating it is still highly active.

No other malware has displayed this sort of longevity at this scale, says Jon Clay, director of global threat communications for Trend Micro. "Conficker seems to be the worm that won't go away. It almost seems like it is self-generating and self-propagating at this point. As such, it is difficult to fully eradicate it," Clay says.

Much of its durability has resulted from the continuing use of systems running, old, unsupported and unpatched Windows software. Most of Trend Micro's detections have been on systems running Windows XP, Windows 2000, and Windows Server 2003.

The three sectors where Conficker/Downad's presence can be seen the most are healthcare, government, and manufacturing. Organizations in these industries typically have tended to be slower to make technology upgrades compared with their counterparts in other industries. Many of the organizations where Trend Micro has detected Conficker have been in developing countries such as Brazil, India, and China, which are well known for their fast-growing economies and manufacturing sectors, the company says.

No Theft Involved
From an impact standpoint, Conficker/Downad does little of the stuff that modern malware does. It does not steal data, conduct surveillance, or spy on users. Rather, it infects systems for the sake of infection.

"Conficker is not meant for any profit," Clay says. "It is a worm, and its purpose is to infect as many systems as it can. There is no data-stealing component associated with it and no destructive payload."

When it was first created, the malware was meant to infect as many systems as possible. "Today, nothing has changed, it still tries to do the same," Clay says.

The worm propagates via removable media, network drives, and by attacking CVE-2008-4250, a flaw in the Server service in legacy Windows versions such as Windows 2000, Server 2002, and Server 2008. Though the flaw was patched in 2008, it still remains unpatched on thousands of old Windows systems worldwide. Trend Micro says that in October 2017 alone, it detected more than 60,000 systems with the vulnerability.

According to Trend Micro, once Conficker lands on a system, the malware puts a copy of itself in the recycle bins of all the drives that are connected to the infected systems network and removable drives. Conficker then takes actions that allow the malware to execute whenever a user browses an infected folder or drive. "It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts," Trend Micro said. Like most well-designed malware, Conficker also takes steps to prevent users from removing it from their systems, including in some cases preventing them from visiting the websites of antivirus vendors.

Conficker continues to pose a threat to older legacy systems, which in many cases are not patched or cannot be patched by an organization, Clay notes. An example of such a system would be one that is maintained by a third party on behalf of an organization. Legacy systems with embedded operating systems are vulnerable, too. Though such systems might be functioning properly, they may not be able to support a security agent, Clay says.

"In these situations, the best defense is to utilize network IPS technology that can detect the worm on the network and block it from being copied onto the system," he says.

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1265
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740.
CVE-2017-1272
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 124747. IBM X-Force ID: 124747.
CVE-2017-1597
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 132610.
CVE-2018-1889
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080.
CVE-2018-1891
PUBLISHED: 2018-12-17
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082.