Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/29/2009
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Conficker Showdown: No End In Sight

Reinfected machines likely part of the 5.5 to 6 million-strong Conficker headcount

Security researchers have picked it apart, vendors have banded together to fight it, and most users have at least heard of it after it made the mainstream media for a possible April 1 activation that never happened -- but the Conficker worm just won't go away. Its bot count has remained steady at around 6 million machines since this summer. And no one really knows what its operators have in store for all of that firepower.

"We continue to see infection rates at a very high level, especially for the A and B variants [of Conficker]," says Andre DiMino, director of the Shadowserver Foundation, which tracks Conficker infections for the Conficker Working Group. "We've done a good job at getting a grasp on Conficker itself and its architecture, and have also had great response from groups within the Conficker Working Group. Now we just need to be a little more aggressive in remediation and with more awareness to really make a concerted effort to get this thing cleaned up."

What concerns security researchers is that despite all of the resources and attention being poured into eradicating Conficker -- Microsoft even offers a $250,000 bounty to catch the people behind the worm -- infections just keep coming worldwide. "It continues to be a giant engine idling, and we wait and see what they're going to do with it," DiMino says.

DiMino worries that all of the hype surrounding the April Fool's Day Conficker event that never was lulled users into a false sense of security that they are immune to Conficker, and that it's considered old hat now compared with other threats.

But no current threats exist with the volume of infections Conficker has amassed, according to Shadowserver's calculations. Even as it experienced a typical slight weekend dip, Conficker was still at 5.5 million infected IP addresses as of yesterday for A and B variants, down from 6 million on Friday. Shadowserver's data shows most of the infected machines in Brazil and China, with Vietnam not far behind.

Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug, which can allow remote code execution via a rogue RPC request handled by Microsoft Windows Server Service. Microsoft researchers presented that and other data at the Virus Bulletin conference in Geneva last week.

Security experts say Conficker's sheer size has a lot to do with how difficult it is to fully remove it from an infected machine. Mikko Hypponen, chief research officer F-Secure, says many of the infected machines are ones that were reinfected with Conficker.

"It sets very tricky ACL rights to files and registry keys it creates," Hypponen says. "Removing it manually is almost impossible. And making [Conficker removal] tools available took much longer than with any other worm, as this one was so complicated." Marcus Sachs, director of the SANS Internet Storm Center, says Conficker is able to snap up so many victims because such a large attack surface of machines on the Internet aren't properly patched. "It is highly likely that many machines that were previously infected, then cleaned, got reinfected due to users either not finishing the cleaning by applying the patches [closing the hole that allowed the infection in the first place], which then leads to a subsequent reinfection, or by accidentally uninstalling the patch or update that closed the hole," Sachs says. "But there are hundreds of millions of computers on the Internet. That is a large attack surface, and it's possible that Conficker can still claim millions more victims just due to user carelessness."

F-Secure and Microsoft are among the security vendors that offer Conficker removal tools. Hypponen says most of the infected machines are from Brazil, China, Vietnam, Russia, Indonesia, India, the Philippines, Thailand, South Korea, and Ukraine. "The USA is at the bottom of the list. Conficker is not a major problem in the U.S. or Europe anymore," he says.

Although the numbers aren't broken down by consumers versus businesses, most security experts say Conficker is mainly a consumer and small to midsize business problem, especially among SMBs in developing nations. According to recent data from Damballa, Conficker is no longer one of the top 10 botnets infecting enterprises.

The C variant of Conficker is decreasing, while infection rates of the A and B version are on the rise, according to F-Secure's Hypponen.

"[Conficker] will never stop spreading. There are tons of computers out there that can still get infected. Users just don't get it. And there's just so much a single working group can do," he says. "Still, I do think the Conficker Working Group is the best example of cross-industry cooperation I've seen in my 19-year career in this field."

No one knows for sure what Conficker's operators plan to do with the botnet. And researchers won't comment on any clues or information they have gathered on the bad guys behind it. "The malware writers were obviously professionals. Conficker's main goal is to spread to as many machines as possible and eventually build a network of computers, which they can use to install other malware through an update mechanism," Microsoft researcher wrote in their paper for the Virus Bulletin conference.

Shadowserver's DiMino says it's hard to tell whether the same gang behind Conficker is still pulling the strings, or whether it has "co-opted" with another group. "Are we at a high-noon standoff with the Conficker guys right now? It's hard to say. But potential for harm is great, and that's why we have to try to stay in lock-step with them," he says.

So far, Conficker hasn't been used for large DDoS botnets as was once feared, SANS ISC's Sachs says. "It might be an out-of-control experiment, it might be a test to see how well the responders respond, or it might be the seeds of a future attack that we have not thought of yet," Sachs says. "Only time will tell."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...