Vulnerabilities / Threats
3/31/2009
06:17 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Conficker's April Fools' Day Update Begins With A Yawn

The worm was designed initially to exploit a Microsoft Windows vulnerability that was patched last October.

It's April 1 in Asia and Australia at the moment and the Conficker worm is busily expanding the list of domains from which it seeks instructions.

The results so far recall the Y2K crisis: Lots of worry, but not much impact.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post on Tuesday. "So far nothing has actually happened."

This nonevent, however, is apparently news, if the volume of commentary coming from security researchers and echoed in the press is any measure. Thanks to the rise of news aggregation services like Google News, once a nonevent reaches critical mass, every industry observer and media outlet is more or less obligated to weigh in.

The chatter among security professionals is almost uniformly nonchalant.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices and brute-force password guessing. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the largest number of infections (45%) are in Asia, followed by Europe (31%), South America (13.6%), and North America (5.8%), with the remainder in the Middle East, Africa, and elsewhere.

The reason that IBM ISS knows this is that one of its researchers, Mark Yason, succeeded last week in cracking the worm's peer-to-peer communication scheme. This has allowed IBM to see Conficker bots hiding in the machines of customers of its managed security service, as well as those outside its purview, bots around the globe trying to communicate with their peers.

Holly Stewart, IBM ISS X-Force threat response manager, attributes the widespread interest in Conficker to the aggressive way in which it spreads and to its sophistication, with several propagation methods and a peer-to-peer communication system.

But really, there's no reason that anyone's computer should still be infected, given the variety of Conficker detection and removal tools out there. Even the Department of Homeland Security is getting into the act and offering Conficker mitigation software for government agencies and enterprises.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.