Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8 Reasons Conficker Malware Won't Die

Poor corporate password practices and continuing use of Autorun help explain why eradicating this three-year-old worm has been so difficult.

Obstinate. That's how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive--and even thrive--in corporate networks.

As recently as the fourth quarter of 2011, Conficker variants launched 59 million attacks against 1.7 million unique PCs, according to the latest installment of the Microsoft Security Intelligence Report, which reviewed attack trends for the second half of 2011. Whereas most malware disproportionately affects consumers, the report found that Conficker is "more prevalent on domain-joined computers," meaning business machines.

Here are eight reasons why killing Conficker remains so tough:

1. Conficker was built to topple business networks. Conficker is designed to persist. All of the worm's payload traffic is encrypted, making infections difficult to spot. The worm can also disable many types of free antivirus software as well as Microsoft Windows Update, thereby disabling automatic security updates. That not only buys the worm time to spread, but can provide a toehold for other malicious software, thus compounding businesses' security problems.

[ Is Apple's 'Walled Garden' Approach To Security Becoming Obsolete? Read more at After Flashback, Apple Walled Gardens Won't Help. ]

2. The worm spreads via Autorun. More recent variations of Conficker attempt to auto-execute via Autorun, which helps it spread not just via network shares, but also USB keys and other types of removable storage. Accordingly, Microsoft has recommended disabling Autorun.

3. Weak passwords help Conficker. When Conficker first infects a PC, it attempts to use the user's current credentials to copy itself to administrative shares, thereby spreading the infection. If that fails, the worm switches to a more aggressive approach. "Conficker has a small dictionary of passwords that is used in a brute-force attack against other machines in the network, and it continues to be surprisingly effective," said Wolfgang Kandek, CTO of Qualys, in a blog post. How weak or common are these passwords? Try words or numbers such as 0000, 1111, Admin, and coffee. "[Conficker's] dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding [numbers] and special characters to only alpha-type passwords," he said.

4. Conficker can remain dormant. If, after trying all of the above, Conficker still fails to spread to admin shares, it will simply hibernate. What brings it back to life? That would be an administrator, using admin credentials to log onto the machine, perhaps while investigating a user's reports of suspicious behavior. Once the PC has been accessed using admin credentials, the worm will again attempt to use these permissions to copy itself around the network.

5. Conficker spreads without bugs. Most malware targets known vulnerabilities. But according to Microsoft, the above password-attack vectors accounted for "100% of all recent infection attempts from Conficker targeting ... users on Windows 7 and Windows Vista platforms." Likewise, 91% of Conficker attacks against Windows 2003 machines targeted passwords, while only 9% targeted a vulnerability patched by Microsoft in October 2008.

6. Repeat outbreaks are common. Conficker's continued spread highlights the ongoing use of weak passwords. "During the first quarter of 2011, the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35," reported Microsoft. The sheer volume of repeat attacks suggest that businesses are failing to eradicate Conficker from every PC inside the enterprise after they detect an infection. As a result, copies of the worm persist, triggering subsequent outbreaks.

7. Virtualization may stoke the worm's spread. Some security watchers see virtualization as another culprit behind Conficker's continued existence. "'VM sprawl'--or the idea that a virtual machine can be easily created and then archived--means there are many virtual machines offline without security updates. Then, when these machines are brought back online, they can get re-infected very easily," said Kapil Raina, a director at Zscaler, via email. "With today's move to the cloud and leveraging services like AWS EC2, there are many, many virtual machines without proper patching. It's like a time bomb waiting to happen when they come back online."

8. Businesses ignore security basics. Want to keep Conficker out of your enterprise? Keep antivirus definitions up to date, disable Autorun, and assess any potential risk you could face if your company uses outdated, virtualized operating systems.

Finally, get tough on passwords. "A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer," said Joe Blackbird of the Microsoft Malware Protection Center (MMPC), in a blog post.

InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our InformationWeek IPv6 Survey now. Survey ends May 11.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/1/2012 | 1:11:51 AM
re: 8 Reasons Conficker Malware Won't Die
The fact that this is still spreading to this extent to me is a major fail for security...especially the password issue...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...