Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/31/2009
06:17 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Conficker's April Fools' Day Update Begins With A Yawn

The worm was designed initially to exploit a Microsoft Windows vulnerability that was patched last October.

It's April 1 in Asia and Australia at the moment and the Conficker worm is busily expanding the list of domains from which it seeks instructions.

The results so far recall the Y2K crisis: Lots of worry, but not much impact.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post on Tuesday. "So far nothing has actually happened."

This nonevent, however, is apparently news, if the volume of commentary coming from security researchers and echoed in the press is any measure. Thanks to the rise of news aggregation services like Google News, once a nonevent reaches critical mass, every industry observer and media outlet is more or less obligated to weigh in.

The chatter among security professionals is almost uniformly nonchalant.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices and brute-force password guessing. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the largest number of infections (45%) are in Asia, followed by Europe (31%), South America (13.6%), and North America (5.8%), with the remainder in the Middle East, Africa, and elsewhere.

The reason that IBM ISS knows this is that one of its researchers, Mark Yason, succeeded last week in cracking the worm's peer-to-peer communication scheme. This has allowed IBM to see Conficker bots hiding in the machines of customers of its managed security service, as well as those outside its purview, bots around the globe trying to communicate with their peers.

Holly Stewart, IBM ISS X-Force threat response manager, attributes the widespread interest in Conficker to the aggressive way in which it spreads and to its sophistication, with several propagation methods and a peer-to-peer communication system.

But really, there's no reason that anyone's computer should still be infected, given the variety of Conficker detection and removal tools out there. Even the Department of Homeland Security is getting into the act and offering Conficker mitigation software for government agencies and enterprises.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.