Vulnerabilities / Threats
3/31/2009
06:17 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Conficker's April Fools' Day Update Begins With A Yawn

The worm was designed initially to exploit a Microsoft Windows vulnerability that was patched last October.

It's April 1 in Asia and Australia at the moment and the Conficker worm is busily expanding the list of domains from which it seeks instructions.

The results so far recall the Y2K crisis: Lots of worry, but not much impact.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post on Tuesday. "So far nothing has actually happened."

This nonevent, however, is apparently news, if the volume of commentary coming from security researchers and echoed in the press is any measure. Thanks to the rise of news aggregation services like Google News, once a nonevent reaches critical mass, every industry observer and media outlet is more or less obligated to weigh in.

The chatter among security professionals is almost uniformly nonchalant.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices and brute-force password guessing. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the largest number of infections (45%) are in Asia, followed by Europe (31%), South America (13.6%), and North America (5.8%), with the remainder in the Middle East, Africa, and elsewhere.

The reason that IBM ISS knows this is that one of its researchers, Mark Yason, succeeded last week in cracking the worm's peer-to-peer communication scheme. This has allowed IBM to see Conficker bots hiding in the machines of customers of its managed security service, as well as those outside its purview, bots around the globe trying to communicate with their peers.

Holly Stewart, IBM ISS X-Force threat response manager, attributes the widespread interest in Conficker to the aggressive way in which it spreads and to its sophistication, with several propagation methods and a peer-to-peer communication system.

But really, there's no reason that anyone's computer should still be infected, given the variety of Conficker detection and removal tools out there. Even the Department of Homeland Security is getting into the act and offering Conficker mitigation software for government agencies and enterprises.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.