A year after Conficker sprang into the public consciousness, the notorious Windows worm continues to claim millions of victims. While the hype has died down, the worm remains an example of the dangers of cutting-edge malware and how cooperation in the security community can make the difference.
The Conficker worm struck
Windows computers this past year with the force of a tsunami and swept
away illusions of security in the minds of its victims. But after the overhyped
April
1 deadline passed quietly, interest in the general public started
to dwindle, and the malware for some became just another entry on an
ever-growing list of cyber-threats.
The worm itself however
did not disappear. Today, roughly a year after its appearance,
Conficker
is still resting on millions of systems around the world. From its
innovation to its persistence, Conficker has emerged as a stark example of the
dangers of malware, poor patching practices and what the security community can
accomplish by working together.
"This certainly is one of
the most sophisticated pieces of malware that we've ever seen, and that's why
the security industry continues to be interested in it in spite of the fact
that not a lot has happened over the course of the past year," said Tom Cross,
manager of
IBM X-Force Advanced Research. "Lots of
people have said this is not interesting anymore and stopped paying attention,
but those of us who are responsible for this stuff [are] still watching."
Those watching remember
that the worm first crept into the public consciousness in November 2008, when
Microsoft
reported the worm was targeting a vulnerability in their Server service.
Microsoft had already issued a rare
out-of-band
patch for the flaw the previous month in light of limited attacks against
it by malware such as the
Gimmiv
Trojan. Just before the start of the year,
Microsoft
officials once again advised organizations to apply the patch.
By then,
Conficker
B was out. The malware authors would go on to update the worm multiple
times, with each version providing a new twist on its functionality. Just how
many machines are infected with the worm is unknown. According to the Conficker
Working Group, as of
Oct. 28, 2009, there were more than 7 million unique IPs infected
with Conficker variants A, B and C connecting to the group's tracking systems.
Many of the new infections are happening outside the
United States
in
countries like
Brazil.
That there could be so
many machines still infected with the worm doesn't surprise Eric Sites, a
member of the Conficker Working Group and
CTO of Sunbelt Software.
"Given the level of the
attack and the reinfection rates we've seen, this is not surprising," he said.
"Above all, it's a reminder of how few people actually patch their systems on a
regular basis. Despite the fact that Microsoft came out with a patch in
October 2008, before Conficker took hold, the numbers of infected skyrocketed
and continue to be very high."
Patching systems and
applications is often cited as a common cause for hacks and security breaches.
But also problematic is the fact that the worm spread in a number of ways-the
Microsoft vulnerability,
USB devices and unprotected file shares
are all attack vectors depending on the variant.
"By combining
multiple techniques, including auto-run programs to infect
USB keys, the worm was able to
replicate itself without direction from its creators, which facilitated the
spread," Sites said. "Companies were cleaning the same PCs several times only
to see them reinfected."
Part of the challenge with
Conficker is the
cleaning
process. The malware blocked access to known security sites, making it
difficult for victims to download removal tools from vendors like Symantec,
McAfee and others. The
manual
removal process is "a whopper," said Mikko Hypp??énen, chief research officer
at F-Secure.
"Conficker was tricky in
many ways, but many organizations had really depressing incidents where they
pulled a huge effort to clean up a large network, only to have it reinfected in
hours," he said. "It requires careful planning to prevent this."
That sentiment could
explain why the worm continues to plague Windows computers roughly a year after
it first appeared. If nothing else, its authors were innovative-illustrated by
their use of the MD6 cryptographic hash. They also upped the ante by
adding self-defense mechanisms into the worm as part of some of the
updates-such as the ability to disable security services like Automatic Update.
Given all this, perhaps it
is wishful thinking to assume other black hats won't
copy
Conficker's tactics.
"I haven't seen any
particular pieces of malware that I felt borrowed from Conficker," Cross noted.
"But I think that Conficker will have an influence on other malware authors.
Conficker sort of demonstrated a successful peer-to-peer communications
technique that might be adopted by [others]. ... So I would not be surprised to
see other malware that comes out in the future that borrows some of these
techniques."
The mystery surrounding
Conficker-who is controlling all these infected nodes, what do they plan to do
with them, etc.-has only served to keep the security community focused, Cross
said. That may be the best thing about the worm-it caused the security
community to come together. The Conficker Working Group-whose membership
includes Microsoft, Afilias, Symantec and others-continues to fight the malware
and track infection rates around the world.
"Over my 20-year career in
information security, Conficker Working Group has been the single best example
of cross-industry co-operation," declared Hypp??énen, noting the cooperation went
beyond traditional security companies to include CERTs, registrars and others.
Sites agreed, adding it is
likely that similar partnerships will be seen again.
"There was an immediate
collaboration among the top AV researchers and vendors, and the Conficker
Working Group was created in short order as a think tank and a mechanism for
sharing what we were all learning," he said. "Although we probably won't see a
threat of this magnitude for some time, if ever again, I certainly expect that
this collaboration will continue. We have a vested interest in helping each
other as we battle the cyber-criminal element together."
Email
Print
