Conficker Showdown: No End In Sight

Reinfected machines likely part of the 5.5 to 6 million-strong Conficker headcount

Dark Reading logo in a gray background | Dark Reading

Security researchers have picked it apart, vendors have banded together to fight it, and most users have at least heard of it after it made the mainstream media for a possible April 1 activation that never happened -- but the Conficker worm just won't go away. Its bot count has remained steady at around 6 million machines since this summer. And no one really knows what its operators have in store for all of that firepower.

"We continue to see infection rates at a very high level, especially for the A and B variants [of Conficker]," says Andre DiMino, director of the Shadowserver Foundation, which tracks Conficker infections for the Conficker Working Group. "We've done a good job at getting a grasp on Conficker itself and its architecture, and have also had great response from groups within the Conficker Working Group. Now we just need to be a little more aggressive in remediation and with more awareness to really make a concerted effort to get this thing cleaned up."

What concerns security researchers is that despite all of the resources and attention being poured into eradicating Conficker -- Microsoft even offers a $250,000 bounty to catch the people behind the worm -- infections just keep coming worldwide. "It continues to be a giant engine idling, and we wait and see what they're going to do with it," DiMino says.

DiMino worries that all of the hype surrounding the April Fool's Day Conficker event that never was lulled users into a false sense of security that they are immune to Conficker, and that it's considered old hat now compared with other threats.

But no current threats exist with the volume of infections Conficker has amassed, according to Shadowserver's calculations. Even as it experienced a typical slight weekend dip, Conficker was still at 5.5 million infected IP addresses as of yesterday for A and B variants, down from 6 million on Friday. Shadowserver's data shows most of the infected machines in Brazil and China, with Vietnam not far behind.

Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug, which can allow remote code execution via a rogue RPC request handled by Microsoft Windows Server Service. Microsoft researchers presented that and other data at the Virus Bulletin conference in Geneva last week.

Security experts say Conficker's sheer size has a lot to do with how difficult it is to fully remove it from an infected machine. Mikko Hypponen, chief research officer F-Secure, says many of the infected machines are ones that were reinfected with Conficker.

"It sets very tricky ACL rights to files and registry keys it creates," Hypponen says. "Removing it manually is almost impossible. And making [Conficker removal] tools available took much longer than with any other worm, as this one was so complicated." Marcus Sachs, director of the SANS Internet Storm Center, says Conficker is able to snap up so many victims because such a large attack surface of machines on the Internet aren't properly patched. "It is highly likely that many machines that were previously infected, then cleaned, got reinfected due to users either not finishing the cleaning by applying the patches [closing the hole that allowed the infection in the first place], which then leads to a subsequent reinfection, or by accidentally uninstalling the patch or update that closed the hole," Sachs says. "But there are hundreds of millions of computers on the Internet. That is a large attack surface, and it's possible that Conficker can still claim millions more victims just due to user carelessness."

F-Secure and Microsoft are among the security vendors that offer Conficker removal tools. Hypponen says most of the infected machines are from Brazil, China, Vietnam, Russia, Indonesia, India, the Philippines, Thailand, South Korea, and Ukraine. "The USA is at the bottom of the list. Conficker is not a major problem in the U.S. or Europe anymore," he says.

Although the numbers aren't broken down by consumers versus businesses, most security experts say Conficker is mainly a consumer and small to midsize business problem, especially among SMBs in developing nations. According to recent data from Damballa, Conficker is no longer one of the top 10 botnets infecting enterprises.

The C variant of Conficker is decreasing, while infection rates of the A and B version are on the rise, according to F-Secure's Hypponen.

"[Conficker] will never stop spreading. There are tons of computers out there that can still get infected. Users just don't get it. And there's just so much a single working group can do," he says. "Still, I do think the Conficker Working Group is the best example of cross-industry cooperation I've seen in my 19-year career in this field."

No one knows for sure what Conficker's operators plan to do with the botnet. And researchers won't comment on any clues or information they have gathered on the bad guys behind it. "The malware writers were obviously professionals. Conficker's main goal is to spread to as many machines as possible and eventually build a network of computers, which they can use to install other malware through an update mechanism," Microsoft researcher wrote in their paper for the Virus Bulletin conference.

Shadowserver's DiMino says it's hard to tell whether the same gang behind Conficker is still pulling the strings, or whether it has "co-opted" with another group. "Are we at a high-noon standoff with the Conficker guys right now? It's hard to say. But potential for harm is great, and that's why we have to try to stay in lock-step with them," he says.

So far, Conficker hasn't been used for large DDoS botnets as was once feared, SANS ISC's Sachs says. "It might be an out-of-control experiment, it might be a test to see how well the responders respond, or it might be the seeds of a future attack that we have not thought of yet," Sachs says. "Only time will tell."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights