The Conficker worm has become the malware that just won't die.
More than nine years after it was first spotted in 2008, the worm continues to be detected by anti-malware systems with enough regularity to suggest that it remains a potent threat for organizations, especially those in the manufacturing, healthcare, and government sectors.
In a report released this week, security vendor Trend Micro, which also calls the worm Downad, says its software has so far detected and blocked the malware some 330,000 times this year. That number is roughly consistent with Trend Micro's 300,000 Conficker detections in 2016 and the 290,000 or so in 2015.
The detection rates are well below Conficker's peak rates, when it was still young and new. In 2008, when it first appeared in the wild, Conficker infected an impressive 9 million systems worldwide, making it one of the most prolific malware samples of the year.
Even four years later, in 2012, Conficker notched up more than 2.5 million victims, putting it in the top malware category for that year, Trend Micro says. Since then, the number of infections has dropped substantially over the years as people have switched to more modern operating systems and better security tools. Still, in the past few years Conficker detections have held steadily at well over 20,000 per month, indicating it is still highly active.
No other malware has displayed this sort of longevity at this scale, says Jon Clay, director of global threat communications for Trend Micro. "Conficker seems to be the worm that won't go away. It almost seems like it is self-generating and self-propagating at this point. As such, it is difficult to fully eradicate it," Clay says.
Much of its durability has resulted from the continuing use of systems running, old, unsupported and unpatched Windows software. Most of Trend Micro's detections have been on systems running Windows XP, Windows 2000, and Windows Server 2003.
The three sectors where Conficker/Downad's presence can be seen the most are healthcare, government, and manufacturing. Organizations in these industries typically have tended to be slower to make technology upgrades compared with their counterparts in other industries. Many of the organizations where Trend Micro has detected Conficker have been in developing countries such as Brazil, India, and China, which are well known for their fast-growing economies and manufacturing sectors, the company says.
No Theft Involved
From an impact standpoint, Conficker/Downad does little of the stuff that modern malware does. It does not steal data, conduct surveillance, or spy on users. Rather, it infects systems for the sake of infection.
"Conficker is not meant for any profit," Clay says. "It is a worm, and its purpose is to infect as many systems as it can. There is no data-stealing component associated with it and no destructive payload."
When it was first created, the malware was meant to infect as many systems as possible. "Today, nothing has changed, it still tries to do the same," Clay says.
The worm propagates via removable media, network drives, and by attacking CVE-2008-4250, a flaw in the Server service in legacy Windows versions such as Windows 2000, Server 2002, and Server 2008. Though the flaw was patched in 2008, it still remains unpatched on thousands of old Windows systems worldwide. Trend Micro says that in October 2017 alone, it detected more than 60,000 systems with the vulnerability.
According to Trend Micro, once Conficker lands on a system, the malware puts a copy of itself in the recycle bins of all the drives that are connected to the infected systems network and removable drives. Conficker then takes actions that allow the malware to execute whenever a user browses an infected folder or drive. "It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts," Trend Micro said. Like most well-designed malware, Conficker also takes steps to prevent users from removing it from their systems, including in some cases preventing them from visiting the websites of antivirus vendors.
Conficker continues to pose a threat to older legacy systems, which in many cases are not patched or cannot be patched by an organization, Clay notes. An example of such a system would be one that is maintained by a third party on behalf of an organization. Legacy systems with embedded operating systems are vulnerable, too. Though such systems might be functioning properly, they may not be able to support a security agent, Clay says.
"In these situations, the best defense is to utilize network IPS technology that can detect the worm on the network and block it from being copied onto the system," he says.