1000 days of Conficker

It has been 1,000 days since the Conficker worm first appeared on November 21, 2008.  For the first two months after its initial appearance we received a trickle of reports through our ThreatSense.NET telemetry system.  By January of 2009 that had become a flood, and then a deluge, as this “super worm” rose to meteoric infection levels.  Since then, Conficker has consistently shown up as one of the top ten infections in our monthly Global Threat Reports, usually in the number one or number two slot.

We have blogged at length about Conficker, provided free tools to remove it, written white papers and even presented on it, as have our colleagues in the anti-malware industry.  Microsoft has released guidance explaining how to patch and protect computers, and the Conficker Working Group toils on in semi-obscurity, providing ISPs with a blocklist of 50,000 pseudo-random domain names that some variants of Conficker use to look for updates in order preempt the worm’s update mechanism.  The worm received massive amounts of attention in the news as April 2009 approached when a change to the worm's update mechanism began.  This change ultimately seemed to have little effect on the worm, though.

As for the Conficker worm itself, it appears to have been abandoned by the criminal gang operating it later in 2009, and in June of this year the FBI and US Department of Justice announced arrests of individuals who may have been its authors.

So why is it that nearly three years later the Conficker worm, running “headless” without Command and Control (C&C), using a three year old exploit and dealt with by all current anti-malware software is still the top of the malware ecosystem?  The answer to that question is complicated, because it lies not in the cyber realm of ones and zeroes, but far above it in circles where questions of doing what’s right and proper give way to concerns of budgets, policies and convenience.  To illustrate this, I would like to share a story with you about a friend of mine we’ll call John (not his real name). 

John works as an administrator at a regional company, where he supports thousands of desktops across several states.  I say support, and not manage or administer, because of the nature of John’s environment:  John’s employer is a business that has grown by acquiring smaller companies.  As  a result the company has dozens –if not hundreds –  of different networks, computers, operating environments, best practices and standards for managing all of these.  In other words, this is an enterprise-sized deployment of, well, workgroups.  While they have made some inroads towards establishing universal standards, the organization’s computer security is still a patchwork at best.  For example, there is no centralized management of security.  That, coupled with the fact that some users still have administrative access to their PCs due to legacy software, means that employees can turn off or even uninstall their antivirus software at will.

And what does this mean for John?  It means that his company’s users have been infected with Conficker somewhere in their company every single day since the worm came out.

While there are technical issues that facilitate this pandemic, the underlying cause is not really technical:  John’s employer has not implemented the means to protect their employees because of the expense of installing a centralized management and security solution: such an implementation also has to factor the cost and inconvenience of replacing legacy programs and computers, and training employees on the replacement systems, in the current economic climate. 

I agree that solving this particular problem will be very costly.  Even using open source software, they are looking at a significant capital expenditure for deployment, and those costs are only going increase with each acquisition.  Of course, the sooner his company switches to a centralized management and security model, the better off they will be, especially when it comes to integrating acquisitions.

While one might have sympathy for John’s employer and understand their desire to fight these hot spots rather than put out the forest fire due to the hit in profitability they’ll take, there’s one other aspect of John’s employer I have not mentioned.

It is in the healthcare business.

In the United States, that means they are subject to HIPAA rules.  While HIPAA is not something we discuss very often because it is complicated and specialized area, a worm traversing networks containing medical records for nearly three years seems like it would be the type of thing HIPAA was meant to address.

So what will it take to finally kill Conficker?  That’s a difficult question to answer.  Clearly, anti-malware software and other technical solutions and prescriptive guidance are not enough, nor is the prospect of being fined for violating industry-specific regulations. 

Some of the most successful actions against botnets have been taken by US authorities acting in conjunction with Microsoft, to shut down such botnets such as Waledac, Coreflood and, most recently, Rustock.  These botnets relied on accessing specific domains or computers for their Command and Control servers and began to vanish as soon as these were seized by the authorities.  While the earliest version of Conficker accessed a single domain, later versions switched to access hundreds and then tens of thousands of random domains on a daily basis, making the worm highly resistant to this type of infrastructural attack.

Providing patches, prescriptive guidance and software to combat the worm are the tools that security and operating system vendors provide to ameliorate threats.  But just because they are available, does not mean they are going to be used or managed correctly, as in the example of John’s company.

So where does that leave us?  Well, if we cannot do anything now to secure some of our systems, it seems like we will have to rely on future mitigations.  When Microsoft released Windows 7, it made a seemingly small change to the way in which the system handles the behavior of AutoRun, its technology for starting programs from removable media.  This effectively immunized that operating system against worms which spread via AUTORUN.INF files.  Readers of this blog will no doubt recognize this class of malware as having appeared consistently in the Top 10 threats for years, and using a technique also used by Conficker to spread itself.  Microsoft eventually made this available as an update to Windows Vista and Windows XP, although installation isn’t mandatory.  Windows 7 and Windows Server 2008 R2 were released after the vulnerabilities exploited by Conficker were fixed, which hampers its spread in those environments.

Microsoft has not shared much information with the public about the next version of its flagship operating system, Windows 8, but hopefully we will see additional anti-Conficker refinements in it.  Variants of Conficker attempt to spread over network shares, guessing the password based on some commonly-used methods and words.  Hard-coding the list into Windows 8 might be overkill for a threat as old as Conficker, but if Windows users are unable or unwilling to manage their security correctly, then enforcing more secure choices – as Microsoft has done with its changes to AutoRun behavior – may be the only solution.  Even if that solution can only spread at the same rate as the new operating system that contains it.

 

Regards,

 

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Author Aryeh Goretsky, ESET

  • lyecdevf

    I can not believe that microsoft is taking steps in future versions of windows to prevent conficker to spread.  I think users should take the proper measures to ensure there safety on the net.  

    • David Harley

      I don’t know if Microsoft is specifically focused on rescuing all those machines that are still infected with Conficker (Aryeh would know better, given his ties with the company), but MS continues to work on aspects of OS code intended to reduce its susceptibility to known threats. I agree that users should take some responsibility for their own safety, though.

  • Aryeh Goretsky

    Hello Lyecdevf and David,
     
    While I am a Microsoft MVP, I do not have any special insight into Microsoft's future plans for Conficker remediation in Windows 8, or, for that matter, Windows 8 itself.  Sorry if I gave you any other impression.
     
    As I mentioned in the article above, Microsoft, security vendors, ISPs and many other parties have gone to extraordinary lengths to combat this worm.  Check out the Lessons Learned document hosted at the Conficker Working Group's web site.  A large part of the problem as I see it is that computer users—including those responsible for them—have not taken the proper measures to implement the prescriptive guidance, tools and education aspects needed to move Conficker from its status as a kind of "super worm" to extinction.
     
    Microsoft did change the behavior of AutoRun in Windows 7, and that was due to USB-borne malware such as Conficker.  Given the continued prevalance of this worm, I hope that Microsoft can take additional steps to actually prevent the worm code from being executed by computers running the next version of Microsoft Windows.  The actual method used does not actually matter to me; I had mentioned blacklisting the password algorithms and dictionary attack used by Conficker, but some kind of software restriction policy would be fine, too.
     
    I am enough of a realist, though, to know that even this will not kill the worm.  Such a change would only spread at the rate the operating system was adopted   For that matter, if you ask a tier-one ISP about legacy threats you will find out they are probably still seeing traffic from nearly decade-old worms like Blaster and SQL Slammer still transiting their networks from old, unsecured computers. 
     
    What I think could be done with such a change is to create a type of digital herd immunity, lowering the number of infected hosts over time so that the outbreaks of the worm diminish to the point where Conficker can be considered extinct.  In the past 100 years, we have done this with a human disease, smallpox, through a combination of treatment and education and we may see the eradication of polio in our lifetimes.  It seems to me that with the lifetimes of computers being so much shorter than people due to technological change, we should be able to confer such extinction even sooner for malware.  After all, when was the last time you heard about a computer being infected by the Pakistani Brain, Scores, nVIR or Jerusalem viruses?
     
     
    Regards,
     
    Aryeh Goretsky

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.