Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:06 PM
Connect Directly

Notorious Conficker Worm Still Alive And Infecting Unpatched PCs

Wily worm still confounds researchers, but no official botnet activity reported as of yet

What started as a massive worm infection of more than 8 million machines earlier this year, and then was whittled down to around 2 million, is now back in the spotlight again.

The so-called Conficker worm (a.k.a. Conficker/Downadup) is being billed as the next possible April Fool's Day threat. Machines infected with the third and latest version of the worm -- Conficker.C -- are expected to "phone home" and receive their updates on April 1.

But security experts say not to expect any major Conficker event on April 1.

What's most perplexing, they say, is that Conficker is still alive and well, despite all of the negative attention it has garnered. Conficker became notorious enough to prompt Microsoft to form the Conficker Cabal, a coalition of security vendors and organizations dedicated to killing it. Microsoft even offered a $250,000 bounty for information that helps in the arrest and conviction of the perpetrators behind Conficker.

Although Conficker.C appears to be programmed to run a new algorithm for domain-name generation on April 1, infected machines don't actually need to check in with command and control, and can get their updates at any time: "It doesn't really need those domain names to be updated" because it's peer-to-peer, says Joe Stewart, director of malware research for SecureWorks.

"It's unlikely anything will happen on the first [of April]," says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. "Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."

And most of the infected machines have the older Conficker.B variant, anyway, which isn't scheduled for activity on April 1, according to F-Secure.

But Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. "It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say," Abrams says.

So why worry about Conficker if it hasn't really done any visible damage thus far? "Because there are still 1 to 2 million computers out there that are infected, and they could potentially do a lot of harm to the rest of the Internet," F-Secure's Runald says.

The worm initially hit enterprises hard, but many organizations have been able to clean up their internal machines, thanks to Microsoft's efforts, as well as the various vendors that released prevention and cleanup tools for Conficker. "We saw it spreading extremely fast within internal networks [at first]. Now it's a combination of corporate and end users who haven't patched their computers for whatever reason," Runald says.

But with no official sign that the infected machines are ready to spam or inflict a distributed denial-of-service (DDoS) attack, security experts disagree about whether Conficker is a botnet-in-waiting. SecureWorks' Stewart says he hasn't witnessed any profit motive or attack activity that would point to a botnet, and F-Secure's Runald says he's not ready to call it a botnet yet.

ESET's Abrams, however, argues otherwise: "Conficker is a botnet. It has the ability to be remote-controlled, and is an automated program," he says. "The signs of botnet activity are that it will look outside for instructions and can download and execute code."

Conficker is not a classic worm due to its botnet-like command-and-control channel. It does propagate like a worm, though, exploiting machines that haven't installed the MS08-067 Windows patch for Windows 2000, XP, and Server 2003 systems issued by Microsoft back in October. Conficker's creators have been cranking out new variants of the worm to evade detection, and infection requires no action on the part of the PC user.

Although no one is sure what Conficker is ultimately up to, its creators are obviously not amateurs. "It's professionally coded, [and] it's still alive after four months, despite our efforts to kill it," F-Secure's Runald notes. "It took us some time to figure out how to remove it fully. They've implemented new code continuously, and it uses new technologies that barely have been used before, [like the] MD6 encryption."

Still, more treacherous botnets are out there even if Conficker were to officially launch as a botnet. "Botnets that facilitate identity theft and fraud are more damaging," SecureWorks' Stewart says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.