Vulnerabilities / Threats
4/30/2012
10:37 AM
Connect Directly
RSS
E-Mail
50%
50%

8 Reasons Conficker Malware Won't Die

Poor corporate password practices and continuing use of Autorun help explain why eradicating this three-year-old worm has been so difficult.

Obstinate. That's how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive--and even thrive--in corporate networks.

As recently as the fourth quarter of 2011, Conficker variants launched 59 million attacks against 1.7 million unique PCs, according to the latest installment of the Microsoft Security Intelligence Report, which reviewed attack trends for the second half of 2011. Whereas most malware disproportionately affects consumers, the report found that Conficker is "more prevalent on domain-joined computers," meaning business machines.

Here are eight reasons why killing Conficker remains so tough:

1. Conficker was built to topple business networks. Conficker is designed to persist. All of the worm's payload traffic is encrypted, making infections difficult to spot. The worm can also disable many types of free antivirus software as well as Microsoft Windows Update, thereby disabling automatic security updates. That not only buys the worm time to spread, but can provide a toehold for other malicious software, thus compounding businesses' security problems.

[ Is Apple's 'Walled Garden' Approach To Security Becoming Obsolete? Read more at After Flashback, Apple Walled Gardens Won't Help. ]

2. The worm spreads via Autorun. More recent variations of Conficker attempt to auto-execute via Autorun, which helps it spread not just via network shares, but also USB keys and other types of removable storage. Accordingly, Microsoft has recommended disabling Autorun.

3. Weak passwords help Conficker. When Conficker first infects a PC, it attempts to use the user's current credentials to copy itself to administrative shares, thereby spreading the infection. If that fails, the worm switches to a more aggressive approach. "Conficker has a small dictionary of passwords that is used in a brute-force attack against other machines in the network, and it continues to be surprisingly effective," said Wolfgang Kandek, CTO of Qualys, in a blog post. How weak or common are these passwords? Try words or numbers such as 0000, 1111, Admin, and coffee. "[Conficker's] dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding [numbers] and special characters to only alpha-type passwords," he said.

4. Conficker can remain dormant. If, after trying all of the above, Conficker still fails to spread to admin shares, it will simply hibernate. What brings it back to life? That would be an administrator, using admin credentials to log onto the machine, perhaps while investigating a user's reports of suspicious behavior. Once the PC has been accessed using admin credentials, the worm will again attempt to use these permissions to copy itself around the network.

5. Conficker spreads without bugs. Most malware targets known vulnerabilities. But according to Microsoft, the above password-attack vectors accounted for "100% of all recent infection attempts from Conficker targeting ... users on Windows 7 and Windows Vista platforms." Likewise, 91% of Conficker attacks against Windows 2003 machines targeted passwords, while only 9% targeted a vulnerability patched by Microsoft in October 2008.

6. Repeat outbreaks are common. Conficker's continued spread highlights the ongoing use of weak passwords. "During the first quarter of 2011, the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35," reported Microsoft. The sheer volume of repeat attacks suggest that businesses are failing to eradicate Conficker from every PC inside the enterprise after they detect an infection. As a result, copies of the worm persist, triggering subsequent outbreaks.

7. Virtualization may stoke the worm's spread. Some security watchers see virtualization as another culprit behind Conficker's continued existence. "'VM sprawl'--or the idea that a virtual machine can be easily created and then archived--means there are many virtual machines offline without security updates. Then, when these machines are brought back online, they can get re-infected very easily," said Kapil Raina, a director at Zscaler, via email. "With today's move to the cloud and leveraging services like AWS EC2, there are many, many virtual machines without proper patching. It's like a time bomb waiting to happen when they come back online."

8. Businesses ignore security basics. Want to keep Conficker out of your enterprise? Keep antivirus definitions up to date, disable Autorun, and assess any potential risk you could face if your company uses outdated, virtualized operating systems.

Finally, get tough on passwords. "A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer," said Joe Blackbird of the Microsoft Malware Protection Center (MMPC), in a blog post.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/1/2012 | 1:11:51 AM
re: 8 Reasons Conficker Malware Won't Die
The fact that this is still spreading to this extent to me is a major fail for security...especially the password issue...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio