Conficker returns, exploiting weak passwords on network systems
- By Kevin McCaney
- Apr 26, 2012
Conficker, the inexhaustible worm that first appeared in 2008 and infected an estimated 7 million computers before being slowed by a global public/private effort, just will not go away, according to a new report by Microsoft.
In fact, the number of computers infected by Conficker rose in 2011, totaling 1.7 million worldwide by year’s end, according to the most recent Microsoft Security Intelligence Report.
And how it is spreading? Weak passwords, mostly.
Group finds a way to thwart Conficker (no thanks to government)
Why so many bad passwords? Because the rules allow them.
A blog post by the Microsoft Malware Protection Center, describing Conficker’s “obstinacy,” said it is spreading by exploiting weak passwords to spread itself to administrative shares of other computers on a network. For that reason, it’s more of a threat to enterprises than to individual users, according to the post.
In addition to the 1.7 million computers it has infected, another sign of Conficker’s obstinacy is the fact that it launched 59 million attacks in the fourth quarter of 2011 alone, Microsoft said.
When it first appeared in 2008, Conficker didn’t get far because it exploited a vulnerability in Windows Server that Microsoft had already issued a patch for. But a variation of the worm, appearing about a month later, was set up to spread using the Autorun feature, exploiting weak or shared passwords, or stolen login tokens, Microsoft said.
According to the Malware Protection Center’s blog post, Conficker follows a systematic pattern in trying to spread through a network, first attempting to use the current user’s credentials to spread, then using a list of common weak passwords to try to break in. If those steps don’t work, it will lay dormant waiting for a new set of credentials to attack.
And, “If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible,” the blog post said.
“The combination of these credential-based attacks accounted for 100 percent of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms,” according to the post.
The company’s Security Intelligence Report said the worm also has survived because it is good at defending itself, blocking access to security websites, disabling security software on infected computers and using encryption and a technique called “HTTP rendezvous” to protect its payload.
Because of its sophistication and ability to spread quickly, Conficker drew a lot of attention, prompting the formation of the Conficker Working Group, an organization of more than 30 companies, Internet registrars, universities and government agencies, the FBI and Homeland Security Department among them.
The group, considered a model for cooperative cybersecurity efforts, was successful in preventing the worm’s author from taking control of the botnet Conficker was creating, although it was unable to remove it from millions of infected computers. And Conficker’s author and purpose were never discovered.
Government agencies, however, were successful in remediating their infected computers, or in keeping it out in the first place. In March 2010, Rodney Joffe, senior vice president and technologist at Neustar and director of the Conficker Working Group, said infections of government systems had been reduced from tens of thousands to fewer than 40.
But a DHS spokesman said at the time that Conficker had never been much of an issue for federal systems, because of defensive measures by US-CERT and others.
Regardless, Conficker, which hasn’t had a new variant in two years, has proven its persistence. And its recent increases would seem a good opportunity for organizations to try once again to eradicate the endemic problem of weak passwords on the network.
Kevin McCaney is a former editor of Defense Systems and GCN.