Attacks/Breaches

12/7/2017
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Conficker: The Worm That Won't Die

More than nine years after it infected millions of systems worldwide, the malware continues to be highly active, according to a Trend Micro report.

The Conficker worm has become the malware that just won't die.

More than nine years after it was first spotted in 2008, the worm continues to be detected by anti-malware systems with enough regularity to suggest that it remains a potent threat for organizations, especially those in the manufacturing, healthcare, and government sectors.

In a report released this week, security vendor Trend Micro, which also calls the worm Downad, says its software has so far detected and blocked the malware some 330,000 times this year. That number is roughly consistent with Trend Micro's 300,000 Conficker detections in 2016 and the 290,000 or so in 2015.

The detection rates are well below Conficker's peak rates, when it was still young and new. In 2008, when it first appeared in the wild, Conficker infected an impressive 9 million systems worldwide, making it one of the most prolific malware samples of the year.

Even four years later, in 2012, Conficker notched up more than 2.5 million victims, putting it in the top malware category for that year, Trend Micro says. Since then, the number of infections has dropped substantially over the years as people have switched to more modern operating systems and better security tools. Still, in the past few years Conficker detections have held steadily at well over 20,000 per month, indicating it is still highly active.

No other malware has displayed this sort of longevity at this scale, says Jon Clay, director of global threat communications for Trend Micro. "Conficker seems to be the worm that won't go away. It almost seems like it is self-generating and self-propagating at this point. As such, it is difficult to fully eradicate it," Clay says.

Much of its durability has resulted from the continuing use of systems running, old, unsupported and unpatched Windows software. Most of Trend Micro's detections have been on systems running Windows XP, Windows 2000, and Windows Server 2003.

The three sectors where Conficker/Downad's presence can be seen the most are healthcare, government, and manufacturing. Organizations in these industries typically have tended to be slower to make technology upgrades compared with their counterparts in other industries. Many of the organizations where Trend Micro has detected Conficker have been in developing countries such as Brazil, India, and China, which are well known for their fast-growing economies and manufacturing sectors, the company says.

No Theft Involved
From an impact standpoint, Conficker/Downad does little of the stuff that modern malware does. It does not steal data, conduct surveillance, or spy on users. Rather, it infects systems for the sake of infection.

"Conficker is not meant for any profit," Clay says. "It is a worm, and its purpose is to infect as many systems as it can. There is no data-stealing component associated with it and no destructive payload."

When it was first created, the malware was meant to infect as many systems as possible. "Today, nothing has changed, it still tries to do the same," Clay says.

The worm propagates via removable media, network drives, and by attacking CVE-2008-4250, a flaw in the Server service in legacy Windows versions such as Windows 2000, Server 2002, and Server 2008. Though the flaw was patched in 2008, it still remains unpatched on thousands of old Windows systems worldwide. Trend Micro says that in October 2017 alone, it detected more than 60,000 systems with the vulnerability.

According to Trend Micro, once Conficker lands on a system, the malware puts a copy of itself in the recycle bins of all the drives that are connected to the infected systems network and removable drives. Conficker then takes actions that allow the malware to execute whenever a user browses an infected folder or drive. "It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts," Trend Micro said. Like most well-designed malware, Conficker also takes steps to prevent users from removing it from their systems, including in some cases preventing them from visiting the websites of antivirus vendors.

Conficker continues to pose a threat to older legacy systems, which in many cases are not patched or cannot be patched by an organization, Clay notes. An example of such a system would be one that is maintained by a third party on behalf of an organization. Legacy systems with embedded operating systems are vulnerable, too. Though such systems might be functioning properly, they may not be able to support a security agent, Clay says.

"In these situations, the best defense is to utilize network IPS technology that can detect the worm on the network and block it from being copied onto the system," he says.

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.