A new variant of a worm that exploits a vulnerability patched by Microsoft in October has infected millions of users, security researchers say. According to experts, the Conficker worm is using multiple mechanisms to spread.
It seems you just can't keep a good worm down.
Nearly two months after Microsoft
first warned of the Conficker worm
targeting a vulnerability in its Server
service, the number of infected computers is growing rapidly. While there
is some dispute about the number of infections-F-Secure puts it
at approximately 9 million, though others dispute that-the general consensus
from companies such as Symantec and Kaspersky Lab is that the number
of infections is in the millions.
At the moment, security
researchers can only speculate
as to what the intentions of the authors of
the worm are. Some security researchers have suggested there may be plans in
the works to use the infected computers as a massive botnet.
"[We] haven't seen it download anything yet," noted Joe Stewart,
director of malware research at SecureWorks. "Technically it already is a
botnet, but it just is lacking a viable C&C [command and control] server at
the moment. That could change at any time."
The worm is also referred to by security vendors as Downadup
and Kido. Besides targeting the Microsoft
flaw, which was patched in October,
the latest variant is also spreading
through removable media as well as by copying itself to network shares by
guessing weak passwords.
These days, network worms need different mechanisms to make their way onto a
corporate network, explained Roel Schouwenberg, senior anti-virus researcher at
"Given the way that the majority of ISPs and corporations function
these days-they block quite a number of network ports-it's very hard for a
network worm to get in from the outside," Schouwenberg said. "During
2008 we've seen a huge uprise in the amount of malware that was replicated via
Windows' AutoRun functionality-USB
devices-and they are successful in getting onto networks from the inside. So
what I think is likely happening is that infected USB
sticks are being brought into corporate networks, infecting one workstation, [from]
which in turn [the malware] starts to spread across the LAN."
Still, data from application scanning vendor Qualys indicates that many
people have yet to apply the patch released by Microsoft. Qualys CTO
Wolfgang Kandek said more than 50 percent of machines were patched after about
30 days. The rate of patching diminished after that, however, apparently
leaving millions of machines vulnerable.
"Unfortunately this leaves enough machines to be exploited by the
Conficker worm types even today, over 45 days later," Kandek said.
"We would have liked to see a faster reaction by the computer users given
the significance of the patch, but there still seems to be a barrier to reach[ing]
everybody and mak[ing] them understand the urgency of patching."
For its part, Microsoft updated its Malicious Software Removal Tool in
January to help users clean the latest variant of the worm from their systems.
"The current damage is the mess it causes to
networks it infects in terms of cleaning it up from all the computers and USB or
network drives, without having it reinfect the computers that have already been
cleaned," Stewart said. "Once it starts dropping payloads, we'll have
a better idea of what it's designed to really do. I'm putting my money on it
installing rogue AV."