Conficker Worm Spreads Fast, Infects Millions


Like other malware, the worm known as Conficker or Downadup is a blended threat, relying upon a variety of attack vectors, which range from brute-force password guessing to hitching rides on USB sticks, in order to replicate and spread throughout a network. However, what experts say makes this worm unique is the rate of speed at which it replicates.

"The notion of using multiple attack vectors, that in and of itself is not terribly new," said Derek Brown, security researcher for TippingPoint's DVLabs Team. "The unique thing about this is the speed at which it has spread and I think that's a result of the size of the [Microsoft] vulnerability. That was a pretty big one."

The first variant of the Conficker worm appeared in November 2008, and exploited a critical Windows vulnerability in the way the Server Service handles RPC requests.

Microsoft issued an emergency out-of-band patch in October 2008 -- the first in the previous year and a half -- repairing the error. The company also warned users in a security advisory that the Server Service vulnerability "could be used in the crafting of a wormable exploit," and advised users to protect their networks from external malicious threats with updated firewalls.

Sponsored post

"In a lot of cases, that's how it works," said Brown. "If companies aren't proactive, or reactive to that, and quickly move to apply those patches, [hackers] are going to take a stab at it, propagating this large vulnerability that Microsoft had."

Experts say that the Conficker malware got its start because of the Microsoft vulnerability, but subsequently was able to propagate quickly through users' unpatched Windows operating systems.

Security researchers began to see the second variation of the malware, what's currently known as the Conficker/Downadup worm, in late December 2008. Brown said that while the malware author's motives are unclear, it seems likely that the worm is designed to create an enormous global botnet, a network of computers controlled by a central command center, usually for malicious purposes.

"Worms that come in and infect your system can destroy your computer, crash and overwrite the C drive. Up to this point, we haven't seen a lot of that. We've just seen a lot of infections, which gives credence to the theory of the botnet," Brown said.

One of the methods that the Conficker worm uses to rapidly self-propagate is by a brute-force, password-guessing technique. The malware first tries to use the credential of the logged-on user. If that fails, it attempts to obtain a list of user accounts on the target machine and then tries to connect using each user name and to a list of weak passwords, such as "1234" or "password."

The worm also infiltrates and spreads throughout a corporate network by hitching a ride on an infected portable storage device, such as a USB stick. The malware relies on users' familiarity with Windows Autoplay menu, which is enabled by default in Windows for all removable devices. If a portable storage device infected with the worm is introduced to a computer in which the autorun feature is enabled, then the worm will add an "execute" option to the pop-up menu.

In the interest of self-preservation, the worm attempts to terminate any process that seems to indicate it is an antivirus program or other security software, and blocks access to many antivirus and security vendors' Web sites.

So far, experts are unclear of the malware's origin. However, a Microsoft blog noted that the variant avoids infecting computers that use Ukrainian keyboard layout, raising suspicions that the malware authors are located in the Ukraine.

Brown said that the Conficker worm could potentially infect PCs for months to the "better part of the year" before it is eventually eradicated by the security community.

Meanwhile, security experts advise that users keep a solid desktop antivirus product running and updated on their PCs and immediately apply Microsoft patches repairing any security vulnerabilities. Experts also recommend that users rely on and routinely change strong passwords for all accounts and file-share applications.