Venerable Conficker Worm Survives on Obsolete Legacy Systems

By Robert Lemos  |  Posted 2016-06-13 Print this article Print
Conficker Malware

Currently, Malaysia, Brazil and Romania account for the greatest traffic from Conficker, according to F-Secure data. While the United States generally tops the list of total malware infections, the nation is edged out by India for Conficker infections, according to Check Point's data. Security firms' view of threats such as Conficker generally depend on the makeup of their customer base and, thus, their infection-rate statistics often do not agree, as in this case.

The 2008 vulnerability exploited by Conficker, identified as MS08-067 or CVE-2008-4250, affects Windows systems that allow access via the remote procedure call (RPC) service. On unpatched versions of Windows XP, Windows 2000 and Windows 2003, an attacker can gain remote access without authentication, leaving such systems extremely vulnerable to attack and exploitation.

Unpatched versions of Windows Vista and Windows Server 2008 allow only authenticated users to access the system, somewhat blunting the impact of the worm on those systems.

Conficker also featured a major advance in malware: the domain-generation algorithm, a technique that created domains in a seemingly random but predictable way. Conficker.A and Conficker.B generated 250 domains a day, and then checked each domain for communications from the operator that controlled the computers compromised by the worm.

When defenders, including the Conficker Working Group, systematically bought or reserved every domain generated by the programs, the creator of Conficker adapted. Conficker.C generated 50,000 domain names.

Currently, the biggest problem with Conficker is that it can cause service disruptions and slow performance on the local network because it continues to try to spread virulently. Conficker—like another older worm, Nimda—can cause significant disruptions once it gains a foothold in a network. The worm spreads quickly through shared networks drives that either have no password or used one of 243 common passwords that the program will attempt to brute force.

When he worked as an information technology administrator, Sullivan  had one client, a law firm, that experienced problems with its voice-over-IP connectivity. Sullivan discovered that old Windows XP systems that were on the same network as the VoIP conference rooms were infected with Conficker, he said.

"One infected machine will bang on all the others on the network," Sullivan said. "If you have one bad egg in the network, then 999 machines are unhappy."

Conficker infection traffic continues to emanate from some 600,000 IP addresses, according to data from the Conficker Working Group, a group of researchers that attempted to eradicate the worm and continue to track it.

Until the old systems die, Conficker will continue to be a problem, Joe Stewart, director of malware research at Dell Secureworks and a member of the original Conficker Working Group, told eWEEK.

"There are plenty of people out there who have old computers—in many cases, pirated computers," he said. "They have turned off Windows update and have no motivation to fix them … so they are not going to be upgraded, and they are too old to put Windows 10 on. So we just have to wait for hard drive failure."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel