Years-old Conficker Worm Still A Threat

  @ibtimes on January 27 2011 3:12 PM

A computer worm that first appeared more than two years ago is still a threat, even though security experts were successful in mitigating possible damage.

The Conficker worm, which originally appeared in 2008, is an example of a botnet type of malware. It infects a computer by being downloaded from the Internet or from a mass storage device that has a copy. Unlike malware that simply uses a host computer to send spam or steal personal information, Conficker is flexible - it can be asked to do a variety of things. That flexibility is what makes it so dangerous, according to a report from the Conficker Working Group, a team of experts that came together to tackle the malware.

Thus far nobody has asked Conficker to do anything. But the author of the malware isn't known, and the keys to the malware that enable someone to take control of the botnet still exist somewhere. As the botnet made of Conficker-infected machines would consist of millions of computers, any attack would be powerful.

Conficker wakes up every day and generates a series of Web addresses that it then tries to connect to, and seek commands -- that is, as it looks up a domain name, it can be told to expect a certain set of commands on a certain day. This data is encrypted via a method that is much more sophisticated than previous malware, and points to an author that is an expert in the subject.

The malware spread rapidly and is found in five versions, A, B, B++, C and E, released over the course of 2008 and 2009. Each one has more sophisticated defenses, such as disabling the Auto-update function on a PC. (Thus far no version of the malware has been written for the Apple Macintosh OS). Some copies have been found on computers in government agencies and various militaries.

It was like the malware author was in an 'interactive dance' with the Conficker Working Group - making improvements to the code to bypass our countermeasures, said Barry Greene, president of the Internet Systems Consortium and a member of the Conficker Working Group's Core Committee.

There are ways to get the malware off of a computer. Running a good antivirus program from a CD rather than the computer's own hard drive will usually work. In some cases, one can do a clean install of a system, though that will involve losing data that isn't backed up. There is a simple test for infection that can be found here.

The Conficker Working Group report says that security experts were able to mount many defenses against the malware, and work with both law enforcement and the Internet Corporation for Assigned Names and Numbers to help slow its spread down.

But the malware is not one that usually creates immediate problems for a given user, and that is one of the factors that make Conficker dangerous. Most people will not know their system is infected with Conficker. My Mom could doing her E-mail, Facebook, and solitaire games with no clue that her computer was infected with Conficker -- a robot weapon waiting for commands, Greene said.

He adds that as long as a computer works, most users don't notice they are infected. The bad guys about five years ago learned about thresholds of pain, he said. For malware, it comes down to how many resources to steal from a computer before person at home screams.

If a typical user has to call the help desk, then the malware authors failed, because someone noticed the infection. If they infect her machine and everything is fine, they have a computer resource they can use, he said. That resource could be a machine helping to mount a distributed denial of service attack, or spam, or whatever it is the author wants to do.

While a certain number of machines become disinfected every year as users upgrade operating systems, just as many return to the infected group, says Rodney Joffe, chief technologist at Neustar and also a member of the Working Group. Part of the reason is that many machines still run old operating systems. There are lots of machines still running Windows 98, he said.

The issue with Conficker is that someone out there could sell part of the keys to the malware. Joffe said experts have been monitoring sites that sell that kind of malicious code, but that doesn't mean nobody has gained possession of it as there are too many avenues for that to happen. There are also, he says, knock-on effects from having Conficker on a PC. The PC's 'immune system' is suppressed, he said. Having Conficker on a machine leaves it open to other viruses as well, in part because of the nature of the malware.

One thing Conficker taught malware authors was that creating botnets that are very large gets the attention of law enforcement, so modern malware tries to avoid that. Governments, meanwhile, have taken the threat of malware more seriously. The Conficker Working Group was successful in that sense, and its report says focusing attention on the problem may have scared off the author of the malware from trying a massive attack of some kind. There is also much better cooperation between security experts when such threats do materialize, the report says, though the situation is far from perfect.

 

Join the Discussion