Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Notorious Conficker Worm Still Alive And Infecting Unpatched PCs

Wily worm still confounds researchers, but no official botnet activity reported as of yet

What started as a massive worm infection of more than 8 million machines earlier this year, and then was whittled down to around 2 million, is now back in the spotlight again.

The so-called Conficker worm (a.k.a. Conficker/Downadup) is being billed as the next possible April Fool's Day threat. Machines infected with the third and latest version of the worm -- Conficker.C -- are expected to "phone home" and receive their updates on April 1.

But security experts say not to expect any major Conficker event on April 1.

What's most perplexing, they say, is that Conficker is still alive and well, despite all of the negative attention it has garnered. Conficker became notorious enough to prompt Microsoft to form the Conficker Cabal, a coalition of security vendors and organizations dedicated to killing it. Microsoft even offered a $250,000 bounty for information that helps in the arrest and conviction of the perpetrators behind Conficker.

Although Conficker.C appears to be programmed to run a new algorithm for domain-name generation on April 1, infected machines don't actually need to check in with command and control, and can get their updates at any time: "It doesn't really need those domain names to be updated" because it's peer-to-peer, says Joe Stewart, director of malware research for SecureWorks.

"It's unlikely anything will happen on the first [of April]," says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. "Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."

And most of the infected machines have the older Conficker.B variant, anyway, which isn't scheduled for activity on April 1, according to F-Secure.

But Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. "It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say," Abrams says.

So why worry about Conficker if it hasn't really done any visible damage thus far? "Because there are still 1 to 2 million computers out there that are infected, and they could potentially do a lot of harm to the rest of the Internet," F-Secure's Runald says.

The worm initially hit enterprises hard, but many organizations have been able to clean up their internal machines, thanks to Microsoft's efforts, as well as the various vendors that released prevention and cleanup tools for Conficker. "We saw it spreading extremely fast within internal networks [at first]. Now it's a combination of corporate and end users who haven't patched their computers for whatever reason," Runald says.

But with no official sign that the infected machines are ready to spam or inflict a distributed denial-of-service (DDoS) attack, security experts disagree about whether Conficker is a botnet-in-waiting. SecureWorks' Stewart says he hasn't witnessed any profit motive or attack activity that would point to a botnet, and F-Secure's Runald says he's not ready to call it a botnet yet.

ESET's Abrams, however, argues otherwise: "Conficker is a botnet. It has the ability to be remote-controlled, and is an automated program," he says. "The signs of botnet activity are that it will look outside for instructions and can download and execute code."

Conficker is not a classic worm due to its botnet-like command-and-control channel. It does propagate like a worm, though, exploiting machines that haven't installed the MS08-067 Windows patch for Windows 2000, XP, and Server 2003 systems issued by Microsoft back in October. Conficker's creators have been cranking out new variants of the worm to evade detection, and infection requires no action on the part of the PC user.

Although no one is sure what Conficker is ultimately up to, its creators are obviously not amateurs. "It's professionally coded, [and] it's still alive after four months, despite our efforts to kill it," F-Secure's Runald notes. "It took us some time to figure out how to remove it fully. They've implemented new code continuously, and it uses new technologies that barely have been used before, [like the] MD6 encryption."

Still, more treacherous botnets are out there even if Conficker were to officially launch as a botnet. "Botnets that facilitate identity theft and fraud are more damaging," SecureWorks' Stewart says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.