Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8 Reasons Conficker Malware Won't Die

Poor corporate password practices and continuing use of Autorun help explain why eradicating this three-year-old worm has been so difficult.

Obstinate. That's how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive--and even thrive--in corporate networks.

As recently as the fourth quarter of 2011, Conficker variants launched 59 million attacks against 1.7 million unique PCs, according to the latest installment of the Microsoft Security Intelligence Report, which reviewed attack trends for the second half of 2011. Whereas most malware disproportionately affects consumers, the report found that Conficker is "more prevalent on domain-joined computers," meaning business machines.

Here are eight reasons why killing Conficker remains so tough:

1. Conficker was built to topple business networks. Conficker is designed to persist. All of the worm's payload traffic is encrypted, making infections difficult to spot. The worm can also disable many types of free antivirus software as well as Microsoft Windows Update, thereby disabling automatic security updates. That not only buys the worm time to spread, but can provide a toehold for other malicious software, thus compounding businesses' security problems.

[ Is Apple's 'Walled Garden' Approach To Security Becoming Obsolete? Read more at After Flashback, Apple Walled Gardens Won't Help. ]

2. The worm spreads via Autorun. More recent variations of Conficker attempt to auto-execute via Autorun, which helps it spread not just via network shares, but also USB keys and other types of removable storage. Accordingly, Microsoft has recommended disabling Autorun.

3. Weak passwords help Conficker. When Conficker first infects a PC, it attempts to use the user's current credentials to copy itself to administrative shares, thereby spreading the infection. If that fails, the worm switches to a more aggressive approach. "Conficker has a small dictionary of passwords that is used in a brute-force attack against other machines in the network, and it continues to be surprisingly effective," said Wolfgang Kandek, CTO of Qualys, in a blog post. How weak or common are these passwords? Try words or numbers such as 0000, 1111, Admin, and coffee. "[Conficker's] dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding [numbers] and special characters to only alpha-type passwords," he said.

4. Conficker can remain dormant. If, after trying all of the above, Conficker still fails to spread to admin shares, it will simply hibernate. What brings it back to life? That would be an administrator, using admin credentials to log onto the machine, perhaps while investigating a user's reports of suspicious behavior. Once the PC has been accessed using admin credentials, the worm will again attempt to use these permissions to copy itself around the network.

5. Conficker spreads without bugs. Most malware targets known vulnerabilities. But according to Microsoft, the above password-attack vectors accounted for "100% of all recent infection attempts from Conficker targeting ... users on Windows 7 and Windows Vista platforms." Likewise, 91% of Conficker attacks against Windows 2003 machines targeted passwords, while only 9% targeted a vulnerability patched by Microsoft in October 2008.

6. Repeat outbreaks are common. Conficker's continued spread highlights the ongoing use of weak passwords. "During the first quarter of 2011, the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35," reported Microsoft. The sheer volume of repeat attacks suggest that businesses are failing to eradicate Conficker from every PC inside the enterprise after they detect an infection. As a result, copies of the worm persist, triggering subsequent outbreaks.

7. Virtualization may stoke the worm's spread. Some security watchers see virtualization as another culprit behind Conficker's continued existence. "'VM sprawl'--or the idea that a virtual machine can be easily created and then archived--means there are many virtual machines offline without security updates. Then, when these machines are brought back online, they can get re-infected very easily," said Kapil Raina, a director at Zscaler, via email. "With today's move to the cloud and leveraging services like AWS EC2, there are many, many virtual machines without proper patching. It's like a time bomb waiting to happen when they come back online."

8. Businesses ignore security basics. Want to keep Conficker out of your enterprise? Keep antivirus definitions up to date, disable Autorun, and assess any potential risk you could face if your company uses outdated, virtualized operating systems.

Finally, get tough on passwords. "A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer," said Joe Blackbird of the Microsoft Malware Protection Center (MMPC), in a blog post.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/1/2012 | 1:11:51 AM
re: 8 Reasons Conficker Malware Won't Die
The fact that this is still spreading to this extent to me is a major fail for security...especially the password issue...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23281
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
CVE-2021-27598
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
CVE-2021-27600
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
CVE-2021-27601
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
CVE-2021-27602
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...