Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Notorious Conficker Worm Still Alive And Infecting Unpatched PCs

Wily worm still confounds researchers, but no official botnet activity reported as of yet

What started as a massive worm infection of more than 8 million machines earlier this year, and then was whittled down to around 2 million, is now back in the spotlight again.

The so-called Conficker worm (a.k.a. Conficker/Downadup) is being billed as the next possible April Fool's Day threat. Machines infected with the third and latest version of the worm -- Conficker.C -- are expected to "phone home" and receive their updates on April 1.

But security experts say not to expect any major Conficker event on April 1.

What's most perplexing, they say, is that Conficker is still alive and well, despite all of the negative attention it has garnered. Conficker became notorious enough to prompt Microsoft to form the Conficker Cabal, a coalition of security vendors and organizations dedicated to killing it. Microsoft even offered a $250,000 bounty for information that helps in the arrest and conviction of the perpetrators behind Conficker.

Although Conficker.C appears to be programmed to run a new algorithm for domain-name generation on April 1, infected machines don't actually need to check in with command and control, and can get their updates at any time: "It doesn't really need those domain names to be updated" because it's peer-to-peer, says Joe Stewart, director of malware research for SecureWorks.

"It's unlikely anything will happen on the first [of April]," says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. "Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."

And most of the infected machines have the older Conficker.B variant, anyway, which isn't scheduled for activity on April 1, according to F-Secure.

But Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. "It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say," Abrams says.

So why worry about Conficker if it hasn't really done any visible damage thus far? "Because there are still 1 to 2 million computers out there that are infected, and they could potentially do a lot of harm to the rest of the Internet," F-Secure's Runald says.

The worm initially hit enterprises hard, but many organizations have been able to clean up their internal machines, thanks to Microsoft's efforts, as well as the various vendors that released prevention and cleanup tools for Conficker. "We saw it spreading extremely fast within internal networks [at first]. Now it's a combination of corporate and end users who haven't patched their computers for whatever reason," Runald says.

But with no official sign that the infected machines are ready to spam or inflict a distributed denial-of-service (DDoS) attack, security experts disagree about whether Conficker is a botnet-in-waiting. SecureWorks' Stewart says he hasn't witnessed any profit motive or attack activity that would point to a botnet, and F-Secure's Runald says he's not ready to call it a botnet yet.

ESET's Abrams, however, argues otherwise: "Conficker is a botnet. It has the ability to be remote-controlled, and is an automated program," he says. "The signs of botnet activity are that it will look outside for instructions and can download and execute code."

Conficker is not a classic worm due to its botnet-like command-and-control channel. It does propagate like a worm, though, exploiting machines that haven't installed the MS08-067 Windows patch for Windows 2000, XP, and Server 2003 systems issued by Microsoft back in October. Conficker's creators have been cranking out new variants of the worm to evade detection, and infection requires no action on the part of the PC user.

Although no one is sure what Conficker is ultimately up to, its creators are obviously not amateurs. "It's professionally coded, [and] it's still alive after four months, despite our efforts to kill it," F-Secure's Runald notes. "It took us some time to figure out how to remove it fully. They've implemented new code continuously, and it uses new technologies that barely have been used before, [like the] MD6 encryption."

Still, more treacherous botnets are out there even if Conficker were to officially launch as a botnet. "Botnets that facilitate identity theft and fraud are more damaging," SecureWorks' Stewart says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
PUBLISHED: 2019-06-26
A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations.
PUBLISHED: 2019-06-26
The Couchbase Sync Gateway 2.1.2 in combination with a Couchbase Server is affected by a previously undisclosed N1QL-injection vulnerability in the REST API. An attacker with access to the public REST API can insert additional N1QL statements through the parameters ?startkey? and ?endkey? of the ?_a...
PUBLISHED: 2019-06-26
Out-of-bounds accesses in the functions pi_next_lrcp, pi_next_rlcp, pi_next_rpcl, pi_next_pcrl, pi_next_rpcl, and pi_next_cprl in openmj2/pi.c in OpenJPEG through 2.3.0 allow remote attackers to cause a denial of service (application crash).