The Conficker conundrum

Security experts estimate that Conficker, a particularly malicious worm, targeting MS Windows, has already infected more than 7 million computers around the world.

Conficker was, without doubt, the most significant piece of malware active throughout 2009, not just because of the media attention it attracted or the number of computers infected worldwide, but also because it represented a leap back in time to the era of massive virus epidemics.

More than a year has passed since Conficker first appeared, yet it is still making the news. The patch for the vulnerability exploited by Conficker was published by Microsoft in October 2008. Yet more than one year later, Conficker continues to infect computers using many advanced malware techniques and exploiting the Windows MS08-067 service vulnerability.

The spread of Conficker impacted all types of institutions and organizations. Victims included the British military, Ealing Council’s entire IT network was disabled for 4 days, and 800 computers from the Sheffield NHS Trust were infected as well as numerous other companies and organisations worldwide. Microsoft even offered a reward of $250,000 to anyone providing information that led to the arrest and conviction of the creators of this malware.

The Conficker worm, which by nature is a particularly damaging strain of virus, appears to be launching brute force attacks to extract passwords from computers and corporate networks. The easier the password, the easier it is for Conficker to decipher it. Once the passwords are detected, cyber criminals can then access computers and use them for their own ends.

So why is this still happening? Principally, because of its ability to propagate through USB devices. Removable drives have become a major channel for the spread of malicious code, due to the increasing use of memory sticks and portable hard drives to share information in households and businesses. After inserting an infected USB into an unpatched machine Conficker will be able to bypass the computer security and, by impersonating an administration account, drop a file on the computer system. It will also try to add a scheduled task to run those files.

Another reason for the longevity of this worm is that many people are using pirated copies of Windows and, in fear of being detected; they avoid applying the security patches published periodically by Microsoft. In fact, Microsoft allows unrestricted application of critical updates, even on non-legitimate copies of its operating system. Nowadays, most companies have perimeter protection (firewall, etc.), but this does not prevent employees from taking their memory sticks to work, connecting them to the workstation and spreading the malicious code across the network. As this worm can affect all types of USB devices, MP3 players, mobile phones, cameras, and other removable devices are also at risk.

What can users do to mitigate this threat? Users should firstly apply the patch to solve the security issue that lets the Conficker worm spread through the Internet (MS08-067); they then need other solutions such as a USB vaccine protecting not just the computer but also the USB device itself.

A security solution which is regularly updated and active should be enough to protect against Conficker and its variants but organizations should also habitually scan for vulnerable machines, disinfect infected machines using updated and active antivirus both on networks and stand-alone PCs and make sure their antivirus and security solutions are up-to-date on the latest version and signature database.

It is important to note that by just asking people to use a security solution, we should not expect to put a halt to the problem. Making users aware of the threats, teaching children at school how to use technology safely and responsively, and ensuring they have privacy in mind are equally important. Many users are unaware of the dangers, and living under the perception that the digital world is secure, and as we know, that is not the case. Preventative measures must also come from the “top-down’, legislating, chasing and punishing those that benefit from cybercrime and protecting critical infrastructure.

Author: Luis Corrons, Technical Director, PandaLabs.