Conficker – The Little Worm That Could
- 0
- Add a Comment
It’s one of the things that no one wants to speak openly about, and so many, in the shadows, know is that huge problem with no easily found solution. The Conficker worm, which in the lifespan of computer problems, has been longer than most, and more worrisome than any in recent memory.
The failure of this problem to be defeated, shows a lack of respect for the trouble that worms can cause. The people who give figures state that there is a botnet in the 5 to 6 million range, and yet that does not seem to lend any impetus to the reigning in of the miniature disaster.
from a story in dark reading
Security researchers have picked it apart, vendors have banded together to fight it, and most users have at least heard of it after it made the mainstream media for a possible April 1 activation that never happened — but the Conficker worm just won’t go away. Its bot count has remained steady at around 6 million machines since this summer. And no one really knows what its operators have in store for all of that firepower.
“We continue to see infection rates at a very high level, especially for the A and B variants [of Conficker],” says Andre DiMino, director of the Shadowserver Foundation, which tracks Conficker infections for the Conficker Working Group. “We’ve done a good job at getting a grasp on Conficker itself and its architecture, and have also had great response from groups within the Conficker Working Group. Now we just need to be a little more aggressive in remediation and with more awareness to really make a concerted effort to get this thing cleaned up.”
This is starting to sound a bit less like reality and more like a scenario from a Marvel Comics character movie script. “Unleashed by Victor von Doom, the Conficker botnet is giving the Fantastic Four the fight of their lives, and the Silver Surfer is on his way to offer aid, from far parts of the galaxy…”
The fact that things like this, creations of the furtive mind, and from literally nowhere, can exist over time, and over the concerted efforts of many to remove them, is both amazing and a bit scary.
What concerns security researchers is that despite all of the resources and attention being poured into eradicating Conficker — Microsoft even offers a $250,000 bounty to catch the people behind the worm — infections just keep coming worldwide. “It continues to be a giant engine idling, and we wait and see what they’re going to do with it,” DiMino says.
DiMino worries that all of the hype surrounding the April Fool’s Day Conficker event that never was lulled users into a false sense of security that they are immune to Conficker, and that it’s considered old hat now compared with other threats.
But no current threats exist with the volume of infections Conficker has amassed, according to Shadowserver’s calculations. Even as it experienced a typical slight weekend dip, Conficker was still at 5.5 million infected IP addresses as of yesterday for A and B variants, down from 6 million on Friday. Shadowserver’s data shows most of the infected machines in Brazil and China, with Vietnam not far behind.
Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug, which can allow remote code execution via a rogue RPC request handled by Microsoft Windows Server Service. Microsoft researchers presented that and other data at the Virus Bulletin conference in Geneva last week.
You might think that someone with inside knowledge would defect, and turn in the Conficker crew, to get hold of the money. Of course, they would have to be able to easily disprove their own complicity.
The fact that we had the expected attack in april, that did not come, makes many think that the worm is a hoax, or fanciful story. It would be better to have an adversary that was constant, so that it could be defeated outright, and have it over and done with.
Security experts say Conficker’s sheer size has a lot to do with how difficult it is to fully remove it from an infected machine. Mikko Hypponen, chief research officer F-Secure, says many of the infected machines are ones that were reinfected with Conficker.
“It sets very tricky ACL rights to files and registry keys it creates,” Hypponen says. “Removing it manually is almost impossible. And making [Conficker removal] tools available took much longer than with any other worm, as this one was so complicated.” Marcus Sachs, director of the SANS Internet Storm Center, says Conficker is able to snap up so many victims because such a large attack surface of machines on the Internet aren’t properly patched. “It is highly likely that many machines that were previously infected, then cleaned, got reinfected due to users either not finishing the cleaning by applying the patches [closing the hole that allowed the infection in the first place], which then leads to a subsequent reinfection, or by accidentally uninstalling the patch or update that closed the hole,” Sachs says. “But there are hundreds of millions of computers on the Internet. That is a large attack surface, and it’s possible that Conficker can still claim millions more victims just due to user carelessness.”
F-Secure and Microsoft are among the security vendors that offer Conficker removal tools. Hypponen says most of the infected machines are from Brazil, China, Vietnam, Russia, Indonesia, India, the Philippines, Thailand, South Korea, and Ukraine. “The USA is at the bottom of the list. Conficker is not a major problem in the U.S. or Europe anymore,” he says.
Could this have had anything to do with Microsoft Security Essentials being free? I certainly think so. Yet, if that is the case, you might think that MSE would be free to everyone, as the systems that are hiding Conficker are definitely not all proper machines, with legitimate copies of their operating systems. That is something that Microsoft must certainly have mulled over, when deciding to make MSE include a Genuine Advantage Check, before installation.
One could say, reasonably and without fear of contradiction, that Microsoft really isn’t that worried about Conficker, or its effect on their customers. If the concern was there, the MSE product would be truly free. As an aside, it could make their lives easier in Redmond, and bring a bit more luster to the Microsoft name, in the eyes of all customers.
Although the numbers aren’t broken down by consumers versus businesses, most security experts say Conficker is mainly a consumer and small to midsize business problem, especially among SMBs in developing nations. According to recent data from Damballa, Conficker is no longer one of the top 10 botnets infecting enterprises.
The C variant of Conficker is decreasing, while infection rates of the A and B version are on the rise, according to F-Secure’s Hypponen.
“[Conficker] will never stop spreading. There are tons of computers out there that can still get infected. Users just don’t get it. And there’s just so much a single working group can do,” he says. “Still, I do think the Conficker Working Group is the best example of cross-industry cooperation I’ve seen in my 19-year career in this field.”
Is this the sort of thing that perhaps ICANN, newly empowered to act on its own, could do something positive about? I think so, as it would be easy to close off branches of the net where worm activity is found, and the affected areas could be kept closed off, until such time as a thorough cleansing takes place, and is recorded. After all, ICANN is the closest thing we have to an internet police force.
That kind of forceful approach is what is needed, if we are to keep the worm in check, and reduce the possibility of damages with each time the dragon awakes.
§
•
 |
Don’t find fault, find a remedy. |
Strange, since most people attribute this line of thought to the Japanese. (I believe it was popularized in the movie Gung Ho, with Michael Keaton, and Gedde Watanabe.)
•
