With a suspected April 1 trigger, Conficker is set to rear its ugly head again. eWEEK Labs examines the worm's potential for problems, and why the vulnerability it exploits should cause IT managers to think twice about Windows upgrades--and alternatives to Windows.
Conficker is a work of malware that, in the form of multiple variants, has
been worming its way through unpatched Windows desktop and server machines for
the past four months.
Conficker has garnered mainstream attention of late due to an April 1
trigger that researchers have identified in the most recent variant of the
worm. On this date, it appears that Conficker-infected machines will change the
way that they "phone home" to fetch new code and instructions from
whoever holds the worm's reins.
In October 2008 Microsoft released a fix for the vulnerability that
Conficker exploits, in a patch that Microsoft deemed critical enough to release
outside of its typical Patch Tuesday schedule. Still, enough Windows machines
have remained unpatched for Conficker to spread to what security researchers
estimate to be millions of machines.
Presumably, the goal of Conficker's controllers involves the creation of a
botnet that would carry out illegal machine-based activities by proxy, but
there's no telling exactly what the worm's makers have in mind.
The prescription for Conficker prevention is prompt system patching
(particularly when Microsoft singles out a fix for out-of-band distribution),
combined with client firewall and anti-virus software for blocking the worm's
activities and detecting and eliminating the malware where it surfaces.
In addition, members of the security community have prepared a set of freely
available tools to aid in Conficker detection and removal for infected systems
on your network.
More broadly, Conficker calls attention to the problems inherent in
deploying client systems that offer up network-facing services to anonymous
nodes, and highlights the importance of watching more closely the privileges
granted to the system-level applications that run on mainstream operating
Moreover, because Windows Vista and Windows Server 2008 machines have proved
to be significantly less vulnerable to Conficker than systems running Windows
2000, XP and Server 2003, the worm also highlights the very real consequences
of stepping off the so-called operating system upgrade treadmill. For all its
hardware refresh requirements, potentially unwanted feature adjustments and
software incompatibility wrinkles, Vista includes
security enhancements that blunted the effect of Conficker on unpatched
It's up to companies to consider whether to interpret all of this as a call
to approach Windows upgrades-and their associated costs-with greater alacrity,
or to step up evaluation of OS alternatives, such as Linux, with less upgrade
friction and a better defined road map around trusted OS technologies.
How Does Conficker Work?
Conficker's primary means of propagation involves exploiting a buffer
overflow vulnerability in Windows' Server system service, which is responsible
for, among other things, enabling the sharing of local resources, such as disks
and printers, with other machines on a network.
Conficker exploits this vulnerability to execute code on Windows systems,
without requiring a system's user to open any file or visit any particular Web
site-and without regard to whether a user is running with administrative or
Windows 2000, XP and Server 2003 are particularly vulnerable to Conficker
because the affected Server service on these systems is configured to permit
access from anonymous users. In October 2008, Microsoft provided information on
removing the ACL (access control list) entry
that permits this anonymous access, but since the ACL
involved is hard-coded into the Windows DLL, this access modification would
have had to be made after every boot.
With Windows Vista, Windows Server 2008 and the development builds of
Windows 7, the vulnerable service limits access to authenticated users by
default, but enabling the no-password file-sharing option on these systems
would restore anonymous access-and vulnerability to Conficker.
Unpatched Windows XP SP2, Vista and Server 2008
machines shipped out of the box with Windows' firewall enabled to block the
vulnerable RPC (remote procedure call) interface, but the common firewall
exception that enables file and print sharing opened the door to Conficker.
Even with a firewall exception, however, Vista and
Server 2008 machines would allow access to the vulnerable service only from
other machines in the same network zone. For instance, sharing a resource on a private
network would not permit access to Conficker-infected nodes.
Firewall and service authentication requirements aside, Windows Vista and
Server 2008 worked to mitigate Conficker infection with Address
Space Layout Randomization
, which, combined with the Data Execution Protection
introduced in XP SP2, makes it significantly more difficult
to exploit buffer overflow vulnerabilities such as the one targeted by