Confused about Conficker?

CNN reported that there a new sleeper virus out there.

There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel.

CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is not very serious in terms of what it does. So far it doesn’t try to steal personal information or credit card details.”

Huh? Ok, I’ll follow suit… Conficker could allow hackers to rig elections and shut down critical power and communications infrastructure, but it doesn’t.

What Conficker could allow hackers to do is truly as irrelevant as it gets. The conditions that allow Conficker to spread mean that any semi-skilled hacker or malware author can do the same and much worse with complete and total impunity.

Conficker was one of the first worms to exploit a fairly recent and serious security vulnerability in Windows (MS08-067). Conficker doesn’t stop there though, it also is able to guess passwords set by people who do not understand security (think Twitter admin). Yes, Conficker can guess weak passwords. Conficker also exploits autorun, a vulnerability that Microsoft should have patched a long time ago, but MS insists that auto-infection is a feature. Companies that make digital photo frames, MP3 players, GPS systems, and other assorted USB devices have really embraced the auto-infect technology too!!!

To Microsoft’s credit, most of the infections are coming from the corporate space. Why is this to Microsoft’s credit? Because it means that Windows Update is working pretty well in homes, where it is usually allowed to work.

For businesses this is a dismal finding. This means that standard security basics are not being enforced. There is really sobering news here. Perhaps businesses are not investing in security. An IT person needs some budget and time to do his or her job. Maybe businesses do not know how to evaluate competent security professionals to put in charge. “We needed time to test” is not an excuse for not having deployed the patch for MS08-067. If there is a legitimate reason for not having deployed the patch then there are other many other layers of defense that should be in place for protection.

Conficker should be a complete non-story, and actually it is not the story. The real story is that people are still not doing the basics. Keep your systems patched, keep your applications patched, and require and use strong passwords.

Randy Abrams
Director of Technical Education

Author , ESET

  • John Stotz

    I think you might be overlooking the fact that virus spreads using standard Windows admin shares which have the ability to automatically ‘link’ many corporate systems together with no authentication (prompt) needed. These shares are almost always opened up in most corporate environments, but usually never on a home PC. That is more likely the actual explanation as to why the infection is so prevalent in the corporate space.

  • Hi, John.

    I don’t think that actually contradicts Randy’s point. Open admin shares aren’t secure, and companies that enable them are taking a risk. Clearly there are plenty of admins out there prepared to take risks (like those in the hospital trust in the UK that turned off updates and apparently got 10% of their machines infected, or, allegedly, the Royal Navy…)

  • Dominic Lloyd

    In a lot of cases turning off auto-updates is a perfectly sensible thing to do. It looks like people have forgotten to do them manually though.

    I agree that the “need time to test” excuse doesn’t wash. If you find out that somebody has duplicated one of your front door keys, you don’t spend three months twiddling your thumbs waiting for any other duplicated keys to appear before rolling out new keys once a quarter…

  • Dom Battaglia

    Unfortunately in some cases corporate administration (those with no or ancient/rusty field experience) make the bad decisions that the tech folks have to live with. I don’t know how many times I’ve heard warnings were given regarding unpatched systems. How many times have we told people that “admin” is not a good password? How many times must we clean up peoples’ sloppy web habits–when they know they shouldn’t be doing their personal business on work time. It would save so much more time and money if we were allowed to lock down our systems the way we want to and not leave those decisions to bad policy makers who have manicured nails and nice suits. As long as there’s underfunded IT departments ruled by spineless empty suits, there will be more news stories such as this.

  • Hari Emani

    Hi Randy,

    A great article. I am not sure if I can ask a question like the following, as this relates to your competitor. But I did not find any other place to clarify my doubt, as they did not allow comments like you.

    So far there is no evidence of Conficker worm stealing any personal / financial information or shutting down some thing BIG. But I am confused by the numbers mentioned by F-Secure. They claim that they identified over a million infected computers ( They have a good explanation on how they arrived at this number here ( I would appreciate your (or some one from your team) comments on this.

    If that is the case what can the author do? Can he launch a DDoS or some thing like that? Or try to steal personal info like Sinowal did. I know this could be hard to answer. Unlike other worms Conficker is contacting home for updates through randomly generated web sites daily.

    I would appreciate if you can give enlighten me on this.

    Have fun.

  • Randy Abrams

    It is always tricky to accurately assess the number of infections, but the actual number of infected machines isn’t that important. Just to be within +/- 75% is enough to know that we are dealing with a significant number of computers. Knowledge of the actual number is only an excercise in trivia knowledge :) The fact that Conficker can download an execute code is enough to be troublesome. This implies that the author, or anyone who can hack into Conficker, can force the download of the component required to tie these infected computers together as a botnet. The botnet can then be used to do almost anything. DDOS, Spam runs, information collection, storage of illegal files, and so forth.
    The actual intent of contacting the websites is not clear right now. It could be intended to download fake anti-malware products in an attempt to sell them, rather than to tie everything together into a botnet.

  • It seems Microsoft is only recommending that windows users only run a windows security update.

Follow us

Copyright © 2017 ESET, All Rights Reserved.