Why the Conficker Worm Is Still Plaguing Windows Users

Conficker just won't go away. Despite the efforts of the security community and the presence of numerous tools for detection and removal, the worm is still trying to infect as many as 50,000 new Microsoft Windows PCs a day. The question is: why?

Perhaps it should come as no surprise that after the Internet failed to implode after April 1, the hype surrounding the Conficker worm died down.

The worm itself, however, is still alive kicking. So the question is - why?

According to Symantec, the worm is still attempting to infect 50,000 new PCs daily. Earlier this month, IBM's X-Force team reported the number of IPs infected with Conficker variants C, D and E using the worm's peer-to-peer protocol has remained roughly the same since April.

All this, despite the fact Microsoft has had a patch out for the vulnerability the earliest variants of the worm targeted for several months and the numerous detection/removal tools. In some ways, the worm's persistence almost becomes something to admire.

"Downadup/Conficker continues to be an issue for a number of reasons," Dean Turner, director of Global Intelligence Network at Symantec, noted in an e-mail. "Patch rates can vary and this means that some systems may still be vulnerable. Even if a system has been patched, if the threat existed on the system before patching, there is still a chance that it is present on systems that have not been updated with the latest anti-virus/IPS signatures or have not had a removal tool run on the system."

Some of the spread is undoubtedly due to users being behind in their patches, which is always a problem. Some of that is due to enterprises needing to test patches before deployment; other times it's due to the ignorance of the user. But researchers at SecureWorks also speculated the worm's ability to propagate through USB devices has also aided its spread.

That attack vector is more likely to impact universities and businesses, as is the worm's ability to spread via network shares with weak passwords. In response, researchers have urged organizations to use strong passwords and to disable Windows' AutoRun feature on computers on their network.

"Good security software will detect and remove Conficker but again many people simply do not have the software in place or have allowed it to become out of date, leaving themselves open to attack," said Richard Wang, manager at SophosLabs US. "There are more than enough people who do not patch and have poor security and password policies in place to allow a widespread threat such as Conficker to continue to find targets. For example, SophosLabs continue to see e-mail sent by computers infected with worms such as MyDoom, which is five years old."

While there has been plenty of speculation about how attackers would monetize Conficker, there has been relatively little in the way of income-producing activity tied to the worm. It has been tied to schemes meant to trick victims into paying for rogue anti-virus software, but not much else, if anything.

"The people behind this threat have been relatively quiet since the .E variant and we speculate that they may simply be biding their time before utilizing the current network of compromised hosts," Turner said. "Given the number of hosts that were originally compromised, we are encouraged by a downward trend in the number of Downadup/Conficker hosts that we see. This does not mean, however, that we should let down our guard - regardless of the number of systems currently compromised, the potential exists for the people behind this threat to utilize it to drop other threats or further compromise systems."