Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/29/2009
04:44 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Conficker Showdown: No End In Sight

Reinfected machines likely part of the 5.5 to 6 million-strong Conficker headcount

Security researchers have picked it apart, vendors have banded together to fight it, and most users have at least heard of it after it made the mainstream media for a possible April 1 activation that never happened -- but the Conficker worm just won't go away. Its bot count has remained steady at around 6 million machines since this summer. And no one really knows what its operators have in store for all of that firepower.

"We continue to see infection rates at a very high level, especially for the A and B variants [of Conficker]," says Andre DiMino, director of the Shadowserver Foundation, which tracks Conficker infections for the Conficker Working Group. "We've done a good job at getting a grasp on Conficker itself and its architecture, and have also had great response from groups within the Conficker Working Group. Now we just need to be a little more aggressive in remediation and with more awareness to really make a concerted effort to get this thing cleaned up."

What concerns security researchers is that despite all of the resources and attention being poured into eradicating Conficker -- Microsoft even offers a $250,000 bounty to catch the people behind the worm -- infections just keep coming worldwide. "It continues to be a giant engine idling, and we wait and see what they're going to do with it," DiMino says.

DiMino worries that all of the hype surrounding the April Fool's Day Conficker event that never was lulled users into a false sense of security that they are immune to Conficker, and that it's considered old hat now compared with other threats.

But no current threats exist with the volume of infections Conficker has amassed, according to Shadowserver's calculations. Even as it experienced a typical slight weekend dip, Conficker was still at 5.5 million infected IP addresses as of yesterday for A and B variants, down from 6 million on Friday. Shadowserver's data shows most of the infected machines in Brazil and China, with Vietnam not far behind.

Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug, which can allow remote code execution via a rogue RPC request handled by Microsoft Windows Server Service. Microsoft researchers presented that and other data at the Virus Bulletin conference in Geneva last week.

Security experts say Conficker's sheer size has a lot to do with how difficult it is to fully remove it from an infected machine. Mikko Hypponen, chief research officer F-Secure, says many of the infected machines are ones that were reinfected with Conficker.

"It sets very tricky ACL rights to files and registry keys it creates," Hypponen says. "Removing it manually is almost impossible. And making [Conficker removal] tools available took much longer than with any other worm, as this one was so complicated." Marcus Sachs, director of the SANS Internet Storm Center, says Conficker is able to snap up so many victims because such a large attack surface of machines on the Internet aren't properly patched. "It is highly likely that many machines that were previously infected, then cleaned, got reinfected due to users either not finishing the cleaning by applying the patches [closing the hole that allowed the infection in the first place], which then leads to a subsequent reinfection, or by accidentally uninstalling the patch or update that closed the hole," Sachs says. "But there are hundreds of millions of computers on the Internet. That is a large attack surface, and it's possible that Conficker can still claim millions more victims just due to user carelessness."

F-Secure and Microsoft are among the security vendors that offer Conficker removal tools. Hypponen says most of the infected machines are from Brazil, China, Vietnam, Russia, Indonesia, India, the Philippines, Thailand, South Korea, and Ukraine. "The USA is at the bottom of the list. Conficker is not a major problem in the U.S. or Europe anymore," he says.

Although the numbers aren't broken down by consumers versus businesses, most security experts say Conficker is mainly a consumer and small to midsize business problem, especially among SMBs in developing nations. According to recent data from Damballa, Conficker is no longer one of the top 10 botnets infecting enterprises.

The C variant of Conficker is decreasing, while infection rates of the A and B version are on the rise, according to F-Secure's Hypponen.

"[Conficker] will never stop spreading. There are tons of computers out there that can still get infected. Users just don't get it. And there's just so much a single working group can do," he says. "Still, I do think the Conficker Working Group is the best example of cross-industry cooperation I've seen in my 19-year career in this field."

No one knows for sure what Conficker's operators plan to do with the botnet. And researchers won't comment on any clues or information they have gathered on the bad guys behind it. "The malware writers were obviously professionals. Conficker's main goal is to spread to as many machines as possible and eventually build a network of computers, which they can use to install other malware through an update mechanism," Microsoft researcher wrote in their paper for the Virus Bulletin conference.

Shadowserver's DiMino says it's hard to tell whether the same gang behind Conficker is still pulling the strings, or whether it has "co-opted" with another group. "Are we at a high-noon standoff with the Conficker guys right now? It's hard to say. But potential for harm is great, and that's why we have to try to stay in lock-step with them," he says.

So far, Conficker hasn't been used for large DDoS botnets as was once feared, SANS ISC's Sachs says. "It might be an out-of-control experiment, it might be a test to see how well the responders respond, or it might be the seeds of a future attack that we have not thought of yet," Sachs says. "Only time will tell."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.