Vulnerabilities / Threats
3/31/2009
06:17 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Conficker's April Fools' Day Update Begins With A Yawn

The worm was designed initially to exploit a Microsoft Windows vulnerability that was patched last October.

It's April 1 in Asia and Australia at the moment and the Conficker worm is busily expanding the list of domains from which it seeks instructions.

The results so far recall the Y2K crisis: Lots of worry, but not much impact.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post on Tuesday. "So far nothing has actually happened."

This nonevent, however, is apparently news, if the volume of commentary coming from security researchers and echoed in the press is any measure. Thanks to the rise of news aggregation services like Google News, once a nonevent reaches critical mass, every industry observer and media outlet is more or less obligated to weigh in.

The chatter among security professionals is almost uniformly nonchalant.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices and brute-force password guessing. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the largest number of infections (45%) are in Asia, followed by Europe (31%), South America (13.6%), and North America (5.8%), with the remainder in the Middle East, Africa, and elsewhere.

The reason that IBM ISS knows this is that one of its researchers, Mark Yason, succeeded last week in cracking the worm's peer-to-peer communication scheme. This has allowed IBM to see Conficker bots hiding in the machines of customers of its managed security service, as well as those outside its purview, bots around the globe trying to communicate with their peers.

Holly Stewart, IBM ISS X-Force threat response manager, attributes the widespread interest in Conficker to the aggressive way in which it spreads and to its sophistication, with several propagation methods and a peer-to-peer communication system.

But really, there's no reason that anyone's computer should still be infected, given the variety of Conficker detection and removal tools out there. Even the Department of Homeland Security is getting into the act and offering Conficker mitigation software for government agencies and enterprises.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6278
Published: 2014-09-30
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and m...

CVE-2014-6805
Published: 2014-09-30
The weibo (aka magic.weibo) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6806
Published: 2014-09-30
The Thanodi - Setswana Translator (aka com.thanodi.thanodi) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6807
Published: 2014-09-30
The OLA School (aka com.conduit.app_00f9890a4f0145f2aae9d714e20b273a.app) application 1.2.7.132 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6808
Published: 2014-09-30
The Active 24 (aka com.zentity.app.active24) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.