On Oct. 23, 2008, Microsoft revealed a critical flaw that could allow an attacker to remotely compromise and infect Windows XP, Windows 2000 and Windows Server 2003 systems.
It took only a week for the Internet’s seedier element to create the first malware based on the vulnerability. While initial attacks targeted specific companies and infected fewer than a dozen systems a day, the situation was much worse a month later when an unknown malware developer released a self-propagating worm.
The program, called Conficker, spread quickly by automatically infecting vulnerable systems. Subsequent versions of the program—especially Conficker.C, released in February 2009—spread even more rapidly and added techniques to evade antivirus defenses.
Today, Conficker continues to live on, despite repeated efforts to eradicate the worm and the end of product support for the affected Windows versions. In its March 2016 threat update, for example, security firm Check Point Software Technologies revealed that Conficker made up 20 percent of the attacks recognized by its systems.
Other security firms confirm that Conficker continues to be a significant issue for many companies. In its Security Intelligence Report, Microsoft found Conficker to be the sixth most prevalent attack on server systems and 39th overall. Security firm F-Secure found Conficker accounting for about 0.6 percent of all malware detected at the end of 2015, sharing the top spot with a newer worm known as Njw0rm.
While Conficker’s prevalence is due partly to its ability to spread quickly inside of a network using shared disks and its visibility magnified by the enormous amount of traffic generated by the program, many companies do not rate it a high-priority threat, said Maya Horowitz, a threat intelligence researcher with Check Point, in an e-mail interview with eWEEK.
“It’s often not immediately perceived as a serious threat, especially in comparison to other cyber-attacks like ransomware—so it flies under the radar,” she said. “As a result, it has successfully been able to propagate widely.”
Conficker’s virulence has made the program the cockroach of the Internet. A $250,000 bounty along with a working group focused on the threat and the security industry’s efforts to mitigate Conficker have not managed to eradicate the worm and its variants.
While many companies have blocked the worm in their networks—whether by patching or upgrades—aging and vulnerable legacy systems connected to the Internet continue to harbor the malware, experts told eWEEK.
In particular, developing economies—where a significant fraction of the businesses just now transitioning online—tend to have more legacy computers and, thus, a higher prevalence of Conficker infections, noted Sean Sullivan, a security advisor with F-Secure. A significant number of systems in African nations, such as Oman, show signs of Conficker infections.
“As we expand into markets that haven’t traditionally had good [network] hygiene, we are seeing more Conficker,” he said.
Venerable Conficker Worm Survives on Obsolete Legacy Systems
Currently, Malaysia, Brazil and Romania account for the greatest traffic from Conficker, according to F-Secure data. While the United States generally tops the list of total malware infections, the nation is edged out by India for Conficker infections, according to Check Point’s data. Security firms’ view of threats such as Conficker generally depend on the makeup of their customer base and, thus, their infection-rate statistics often do not agree, as in this case.
The 2008 vulnerability exploited by Conficker, identified as MS08-067 or CVE-2008-4250, affects Windows systems that allow access via the remote procedure call (RPC) service. On unpatched versions of Windows XP, Windows 2000 and Windows 2003, an attacker can gain remote access without authentication, leaving such systems extremely vulnerable to attack and exploitation.
Unpatched versions of Windows Vista and Windows Server 2008 allow only authenticated users to access the system, somewhat blunting the impact of the worm on those systems.
Conficker also featured a major advance in malware: the domain-generation algorithm, a technique that created domains in a seemingly random but predictable way. Conficker.A and Conficker.B generated 250 domains a day, and then checked each domain for communications from the operator that controlled the computers compromised by the worm.
When defenders, including the Conficker Working Group, systematically bought or reserved every domain generated by the programs, the creator of Conficker adapted. Conficker.C generated 50,000 domain names.
Currently, the biggest problem with Conficker is that it can cause service disruptions and slow performance on the local network because it continues to try to spread virulently. Conficker—like another older worm, Nimda—can cause significant disruptions once it gains a foothold in a network. The worm spreads quickly through shared networks drives that either have no password or used one of 243 common passwords that the program will attempt to brute force.
When he worked as an information technology administrator, Sullivan had one client, a law firm, that experienced problems with its voice-over-IP connectivity. Sullivan discovered that old Windows XP systems that were on the same network as the VoIP conference rooms were infected with Conficker, he said.
“One infected machine will bang on all the others on the network,” Sullivan said. “If you have one bad egg in the network, then 999 machines are unhappy.”
Conficker infection traffic continues to emanate from some 600,000 IP addresses, according to data from the Conficker Working Group, a group of researchers that attempted to eradicate the worm and continue to track it.
Until the old systems die, Conficker will continue to be a problem, Joe Stewart, director of malware research at Dell Secureworks and a member of the original Conficker Working Group, told eWEEK.
“There are plenty of people out there who have old computers—in many cases, pirated computers,” he said. “They have turned off Windows update and have no motivation to fix them … so they are not going to be upgraded, and they are too old to put Windows 10 on. So we just have to wait for hard drive failure.”