Notorious Conficker Worm Still Alive And Infecting Unpatched PCs
Wily worm still confounds researchers, but no official botnet activity reported as of yet
March 26, 2009
What started as a massive worm infection of more than 8 million machines earlier this year, and then was whittled down to around 2 million, is now back in the spotlight again.
The so-called Conficker worm (a.k.a. Conficker/Downadup) is being billed as the next possible April Fool's Day threat. Machines infected with the third and latest version of the worm -- Conficker.C -- are expected to "phone home" and receive their updates on April 1.
But security experts say not to expect any major Conficker event on April 1.
What's most perplexing, they say, is that Conficker is still alive and well, despite all of the negative attention it has garnered. Conficker became notorious enough to prompt Microsoft to form the Conficker Cabal, a coalition of security vendors and organizations dedicated to killing it. Microsoft even offered a $250,000 bounty for information that helps in the arrest and conviction of the perpetrators behind Conficker.
Although Conficker.C appears to be programmed to run a new algorithm for domain-name generation on April 1, infected machines don't actually need to check in with command and control, and can get their updates at any time: "It doesn't really need those domain names to be updated" because it's peer-to-peer, says Joe Stewart, director of malware research for SecureWorks.
"It's unlikely anything will happen on the first [of April]," says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. "Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."
And most of the infected machines have the older Conficker.B variant, anyway, which isn't scheduled for activity on April 1, according to F-Secure.
But Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. "It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say," Abrams says.
So why worry about Conficker if it hasn't really done any visible damage thus far? "Because there are still 1 to 2 million computers out there that are infected, and they could potentially do a lot of harm to the rest of the Internet," F-Secure's Runald says.
The worm initially hit enterprises hard, but many organizations have been able to clean up their internal machines, thanks to Microsoft's efforts, as well as the various vendors that released prevention and cleanup tools for Conficker. "We saw it spreading extremely fast within internal networks [at first]. Now it's a combination of corporate and end users who haven't patched their computers for whatever reason," Runald says.
But with no official sign that the infected machines are ready to spam or inflict a distributed denial-of-service (DDoS) attack, security experts disagree about whether Conficker is a botnet-in-waiting. SecureWorks' Stewart says he hasn't witnessed any profit motive or attack activity that would point to a botnet, and F-Secure's Runald says he's not ready to call it a botnet yet.
ESET's Abrams, however, argues otherwise: "Conficker is a botnet. It has the ability to be remote-controlled, and is an automated program," he says. "The signs of botnet activity are that it will look outside for instructions and can download and execute code."
Conficker is not a classic worm due to its botnet-like command-and-control channel. It does propagate like a worm, though, exploiting machines that haven't installed the MS08-067 Windows patch for Windows 2000, XP, and Server 2003 systems issued by Microsoft back in October. Conficker's creators have been cranking out new variants of the worm to evade detection, and infection requires no action on the part of the PC user.
Although no one is sure what Conficker is ultimately up to, its creators are obviously not amateurs. "It's professionally coded, [and] it's still alive after four months, despite our efforts to kill it," F-Secure's Runald notes. "It took us some time to figure out how to remove it fully. They've implemented new code continuously, and it uses new technologies that barely have been used before, [like the] MD6 encryption."
Still, more treacherous botnets are out there even if Conficker were to officially launch as a botnet. "Botnets that facilitate identity theft and fraud are more damaging," SecureWorks' Stewart says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author
You May Also Like