The Conficker worm struck Windows computers this past year with the force of a tsunami and swept away illusions of security in the minds of its victims. But after the overhyped April 1 deadline passed quietly, interest in the general public started to dwindle, and the malware for some became just another entry on an ever-growing list of cyber-threats.
The worm itself however did not disappear. Today, roughly a year after its appearance, Conficker is still resting on millions of systems around the world. From its innovation to its persistence, Conficker has emerged as a stark example of the dangers of malware, poor patching practices and what the security community can accomplish by working together.
“This certainly is one of the most sophisticated pieces of malware that we’ve ever seen, and that’s why the security industry continues to be interested in it in spite of the fact that not a lot has happened over the course of the past year,” said Tom Cross, manager of IBM X-Force Advanced Research. “Lots of people have said this is not interesting anymore and stopped paying attention, but those of us who are responsible for this stuff [are] still watching.”
Those watching remember that the worm first crept into the public consciousness in November 2008, when Microsoft reported the worm was targeting a vulnerability in their Server service. Microsoft had already issued a rare out-of-band patch for the flaw the previous month in light of limited attacks against it by malware such as the Gimmiv Trojan. Just before the start of the year, Microsoft officials once again advised organizations to apply the patch.
By then, Conficker B was out. The malware authors would go on to update the worm multiple times, with each version providing a new twist on its functionality. Just how many machines are infected with the worm is unknown. According to the Conficker Working Group, as of Oct. 28, 2009, there were more than 7 million unique IPs infected with Conficker variants A, B and C connecting to the group’s tracking systems. Many of the new infections are happening outside the United States in countries like Brazil.
That there could be so many machines still infected with the worm doesn’t surprise Eric Sites, a member of the Conficker Working Group and CTO of Sunbelt Software.
“Given the level of the attack and the reinfection rates we’ve seen, this is not surprising,” he said. “Above all, it’s a reminder of how few people actually patch their systems on a regular basis. Despite the fact that Microsoft came out with a patch in October 2008, before Conficker took hold, the numbers of infected skyrocketed and continue to be very high.”
Patching systems and applications is often cited as a common cause for hacks and security breaches. But also problematic is the fact that the worm spread in a number of ways-the Microsoft vulnerability, USB devices and unprotected file shares are all attack vectors depending on the variant.
“By combining multiple techniques, including auto-run programs to infect USB keys, the worm was able to replicate itself without direction from its creators, which facilitated the spread,” Sites said. “Companies were cleaning the same PCs several times only to see them reinfected.”
Part of the challenge with Conficker is the cleaning process. The malware blocked access to known security sites, making it difficult for victims to download removal tools from vendors like Symantec, McAfee and others. The manual removal process is “a whopper,” said Mikko Hypp??Ã©nen, chief research officer at F-Secure.
“Conficker was tricky in many ways, but many organizations had really depressing incidents where they pulled a huge effort to clean up a large network, only to have it reinfected in hours,” he said. “It requires careful planning to prevent this.”
That sentiment could explain why the worm continues to plague Windows computers roughly a year after it first appeared. If nothing else, its authors were innovative-illustrated by their use of the MD6 cryptographic hash. They also upped the ante by adding self-defense mechanisms into the worm as part of some of the updates-such as the ability to disable security services like Automatic Update.
Given all this, perhaps it is wishful thinking to assume other black hats won’t copy Conficker’s tactics.
“I haven’t seen any particular pieces of malware that I felt borrowed from Conficker,” Cross noted. “But I think that Conficker will have an influence on other malware authors. Conficker sort of demonstrated a successful peer-to-peer communications technique that might be adopted by [others]. … So I would not be surprised to see other malware that comes out in the future that borrows some of these techniques.”
The mystery surrounding Conficker-who is controlling all these infected nodes, what do they plan to do with them, etc.-has only served to keep the security community focused, Cross said. That may be the best thing about the worm-it caused the security community to come together. The Conficker Working Group-whose membership includes Microsoft, Afilias, Symantec and others-continues to fight the malware and track infection rates around the world.
“Over my 20-year career in information security, Conficker Working Group has been the single best example of cross-industry co-operation,” declared Hypp??Ã©nen, noting the cooperation went beyond traditional security companies to include CERTs, registrars and others.
Sites agreed, adding it is likely that similar partnerships will be seen again.
“There was an immediate collaboration among the top AV researchers and vendors, and the Conficker Working Group was created in short order as a think tank and a mechanism for sharing what we were all learning,” he said. “Although we probably won’t see a threat of this magnitude for some time, if ever again, I certainly expect that this collaboration will continue. We have a vested interest in helping each other as we battle the cyber-criminal element together.”