Venerable Conficker Worm Survives on Obsolete Legacy Systems

The 8-year-old worm continues to infect in some corners of the Internet, highlighting the difficulty in eradicating more virulent programs.

Conficker Malware

On Oct. 23, 2008, Microsoft revealed a critical flaw that could allow an attacker to remotely compromise and infect Windows XP, Windows 2000 and Windows Server 2003 systems.

It took only a week for the Internet's seedier element to create the first malware based on the vulnerability. While initial attacks targeted specific companies and infected fewer than a dozen systems a day, the situation was much worse a month later when an unknown malware developer released a self-propagating worm.

The program, called Conficker, spread quickly by automatically infecting vulnerable systems. Subsequent versions of the program—especially Conficker.C, released in February 2009—spread even more rapidly and added techniques to evade antivirus defenses.

Today, Conficker continues to live on, despite repeated efforts to eradicate the worm and the end of product support for the affected Windows versions. In its March 2016 threat update, for example, security firm Check Point Software Technologies revealed that Conficker made up 20 percent of the attacks recognized by its systems.

Other security firms confirm that Conficker continues to be a significant issue for many companies. In its Security Intelligence Report, Microsoft found Conficker to be the sixth most prevalent attack on server systems and 39th overall. Security firm F-Secure found Conficker accounting for about 0.6 percent of all malware detected at the end of 2015, sharing the top spot with a newer worm known as Njw0rm.

While Conficker's prevalence is due partly to its ability to spread quickly inside of a network using shared disks and its visibility magnified by the enormous amount of traffic generated by the program, many companies do not rate it a high-priority threat, said Maya Horowitz, a threat intelligence researcher with Check Point, in an e-mail interview with eWEEK.

"It's often not immediately perceived as a serious threat, especially in comparison to other cyber-attacks like ransomware—so it flies under the radar," she said. "As a result, it has successfully been able to propagate widely."

Conficker's virulence has made the program the cockroach of the Internet. A $250,000 bounty along with a working group focused on the threat and the security industry's efforts to mitigate Conficker have not managed to eradicate the worm and its variants.

While many companies have blocked the worm in their networks—whether by patching or upgrades—aging and vulnerable legacy systems connected to the Internet continue to harbor the malware, experts told eWEEK.

In particular, developing economies—where a significant fraction of the businesses just now transitioning online—tend to have more legacy computers and, thus, a higher prevalence of Conficker infections, noted Sean Sullivan, a security advisor with F-Secure. A significant number of systems in African nations, such as Oman, show signs of Conficker infections.

"As we expand into markets that haven't traditionally had good [network] hygiene, we are seeing more Conficker," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...