May 21Conficker: The Worm That Wouldn’t Die!
Coming to a theater near you: “Attack of the Crab Monsters”. “The Creature from the Black Lagoon”. “Attack of the Giant Leeches”. “The Killer Shrews”. — The 1950s had some of the best worst horror movie titles ever. Now, in the tradition of terrible titles comes “Conficker: The Worm That Wouldn’t Die!” Unfortunately, it could be coming to an enterprise near you.
According to Mathew J. Schwartz’s Informationweek.com story, there are eight reasons Conficker malware lives on despite all efforts to kill it by Microsoft and others. Quoting a Microsoft Security Intelligence Report, Schwartz says, “As recently as the fourth quarter of 2011, Conficker variants launched 59 million attacks against 1.7 million unique PCs…. Whereas most malware disproportionately affects consumers, the report found that Conficker is ‘more prevalent on domain-joined computers.’”
Schwartz points out many reasons Conficker will not die. (Note: For brevity, the following has been edited down from the original.)
1. Conficker was built to topple business networks. All of the worm’s payload traffic is encrypted, making infections difficult to spot. The worm can also disable many types of free antivirus software as well as Microsoft Windows Update, thereby disabling automatic security updates. That not only buys the worm time to spread, but can provide a toehold for other malicious software, thus compounding businesses’ security problems.
2. The worm spreads via Autorun. More recent variations of Conficker attempt to auto-execute via Autorun, which helps it spread not just via network shares, but also (through) USB keys and other types of removable storage. Accordingly, Microsoft has recommended disabling Autorun.
3. Weak passwords help Conficker. When Conficker first infects a PC, it attempts to use the (victim’s) current credentials to copy itself to administrative shares (to spread) the infection. If that fails, the worm switches to a more aggressive approach. “Conficker has a small dictionary of passwords that is used in a brute-force attack against other machines in the network, and it continues to be surprisingly effective,” said (security expert) Wolfgang Kandek…. How weak or common are these passwords? Try words or numbers such as 0000, 1111, Admin, and coffee. “(Conficker’s) dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding (numbers) and special characters to only alpha-type passwords.”
4. Conficker can remain dormant. If, after trying all of the above, Conficker still fails to spread to admin shares, it will simply hibernate. What brings it back to life? That would be an administrator, using admin credentials to log onto the machine, perhaps while investigating a user’s reports of suspicious behavior. Once the PC has been accessed using admin credentials, the worm will again attempt to use these permissions to copy itself around the network.
5. Conficker spreads without bugs. Most malware targets known vulnerabilities. But according to Microsoft…password-attack vectors accounted for “100% of all recent infection attempts from Conficker targeting … users on Windows 7 and Windows Vista platforms.” Likewise, 91% of Conficker attacks against Windows 2003 machines targeted passwords, while only 9% targeted a vulnerability patched by Microsoft in October 2008.
6. Repeat outbreaks are common. Conficker’s continued spread highlights the ongoing use of weak passwords. “During the first quarter of 2011, the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35,” reported Microsoft. The sheer volume of repeat attacks suggests that businesses are failing to eradicate Conficker from every PC inside the enterprise after they detect an infection. As a result, copies of the worm persist, triggering subsequent outbreaks.
7. Virtualization may stoke the worm’s spread. Some security watchers see virtualization as another culprit behind Conficker’s continued existence. “‘VM sprawl’–or the idea that a virtual machine can be easily created and then archived–means there are many virtual machines offline without security updates. Then, when these machines are brought back online, they can get re-infected very easily,” said (security expert) Kapil Raina…. “With today’s move to the cloud and leveraging services like AWS EC2, there are many, many virtual machines without proper patching. It’s like a time bomb waiting to happen when they come back online.”