Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Notorious Conficker Worm Still Alive And Infecting Unpatched PCs

Wily worm still confounds researchers, but no official botnet activity reported as of yet

What started as a massive worm infection of more than 8 million machines earlier this year, and then was whittled down to around 2 million, is now back in the spotlight again.

The so-called Conficker worm (a.k.a. Conficker/Downadup) is being billed as the next possible April Fool's Day threat. Machines infected with the third and latest version of the worm -- Conficker.C -- are expected to "phone home" and receive their updates on April 1.

But security experts say not to expect any major Conficker event on April 1.

What's most perplexing, they say, is that Conficker is still alive and well, despite all of the negative attention it has garnered. Conficker became notorious enough to prompt Microsoft to form the Conficker Cabal, a coalition of security vendors and organizations dedicated to killing it. Microsoft even offered a $250,000 bounty for information that helps in the arrest and conviction of the perpetrators behind Conficker.

Although Conficker.C appears to be programmed to run a new algorithm for domain-name generation on April 1, infected machines don't actually need to check in with command and control, and can get their updates at any time: "It doesn't really need those domain names to be updated" because it's peer-to-peer, says Joe Stewart, director of malware research for SecureWorks.

"It's unlikely anything will happen on the first [of April]," says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. "Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."

And most of the infected machines have the older Conficker.B variant, anyway, which isn't scheduled for activity on April 1, according to F-Secure.

But Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. "It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say," Abrams says.

So why worry about Conficker if it hasn't really done any visible damage thus far? "Because there are still 1 to 2 million computers out there that are infected, and they could potentially do a lot of harm to the rest of the Internet," F-Secure's Runald says.

The worm initially hit enterprises hard, but many organizations have been able to clean up their internal machines, thanks to Microsoft's efforts, as well as the various vendors that released prevention and cleanup tools for Conficker. "We saw it spreading extremely fast within internal networks [at first]. Now it's a combination of corporate and end users who haven't patched their computers for whatever reason," Runald says.

But with no official sign that the infected machines are ready to spam or inflict a distributed denial-of-service (DDoS) attack, security experts disagree about whether Conficker is a botnet-in-waiting. SecureWorks' Stewart says he hasn't witnessed any profit motive or attack activity that would point to a botnet, and F-Secure's Runald says he's not ready to call it a botnet yet.

ESET's Abrams, however, argues otherwise: "Conficker is a botnet. It has the ability to be remote-controlled, and is an automated program," he says. "The signs of botnet activity are that it will look outside for instructions and can download and execute code."

Conficker is not a classic worm due to its botnet-like command-and-control channel. It does propagate like a worm, though, exploiting machines that haven't installed the MS08-067 Windows patch for Windows 2000, XP, and Server 2003 systems issued by Microsoft back in October. Conficker's creators have been cranking out new variants of the worm to evade detection, and infection requires no action on the part of the PC user.

Although no one is sure what Conficker is ultimately up to, its creators are obviously not amateurs. "It's professionally coded, [and] it's still alive after four months, despite our efforts to kill it," F-Secure's Runald notes. "It took us some time to figure out how to remove it fully. They've implemented new code continuously, and it uses new technologies that barely have been used before, [like the] MD6 encryption."

Still, more treacherous botnets are out there even if Conficker were to officially launch as a botnet. "Botnets that facilitate identity theft and fraud are more damaging," SecureWorks' Stewart says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...