'Obstinate' Conficker worm infests millions of PCs years later

Suppressed botnet has 7M Windows machines in its grip three years after it first appeared

Microsoft yesterday said the long-suppressed Conficker botnet is still actively infecting millions of new machines, giving Windows enterprise users a two-and-a-half-year headache.

Conficker infected or tried to infect an amazing 1.7 million Windows PCs in the fourth quarter of 2011, three years after it first raised its hydra heads. The 1.7 million was an uptick of 100,000 from the previous quarter, said Microsoft.

"Users are still struggling and battling with Conficker," Tim Rains, a director in Microsoft's Trustworthy Computing group, said in an interview earlier this week. "It's surprising that it has this kind of staying power."

The worm first appeared in the fall of 2008, exploiting a just-patched Windows vulnerability. It soon morphed into a much more effective threat, adding new attack techniques, including one that relied on weaknesses in Windows XP's and Vista's AutoRun feature. By January 2009, some security firms estimated that Conficker had compromised millions of PCs.

Concern about Conficker reached a crescendo when the mainstream media, including major television networks, reported that the worm would update itself on April 1, 2009. Because of the size of the Conficker botnet -- estimates ran as high as 12 million at that point -- and other mysteries, hype ran at fever pitch.

In the end, Conficker's April 1 update passed quietly. But the worm, although prevented from communicating with its makers, hasn't gone quietly into the night.

"It's still out there and active," Rains said. "It's been the number one threat in the enterprise for the last two-and-a-half years."

According to Microsoft -- which collects data from its Malicious Software Removal Tool (MSRT), a free utility it distributes to all Windows users each month, its antivirus software, its Bing search engine and the Hotmail email service -- detections of Conficker have jumped 225% since 2009.

The current size of the Conficker botnet -- those PCs now infected -- is approximately seven million, Microsoft claimed.

Fortunately, Conficker-infected systems are unable to receive updates or orders from the hackers who made the malware.

The Conficker Working Group, a cabal of security researchers and companies, among them Microsoft, has been blocking the worm's command-and-control (C&C) domains since early 2009. By "sinkholing" those domains -- registering all possible C&C domains before the hackers do -- the group has prevented Conficker-infected PCs from doing any real harm. Commands issued to the botnet fall down a metaphoric "sinkhole" and don't reach the compromised computers.

But the persistence of Conficker -- Microsoft called the worm "obstinate" -- means that the working group has a tiger by the tail, and can't let loose. If the group stops its sinkholing efforts, the millions of PCs infected with the worm could again revert to hacker control.

Microsoft's antivirus tools have detected a huge increase in Conficker in the last three years. Fortunately, the botnet remains cut off from its makers. (Image: Microsoft.)

That's a frustrating job, said Jose Nazario, the manager of security research at Arbor Networks, a member of the Conficker Working Group (CWG).

"CWG is still active, still sinkholing, still alerting people." said Nazario in an email reply to questions. "We have no plans at present to [end] the sinkhole effort, although with each passing year the question comes up, and it gets harder to keep asking people to keep names pointed at the sinkholes."

Conficker remains active because of the multitude of ways it spreads from one infected PC to another.

"Conficker can travel on its own without the need of C&C servers," noted Andrew Storms, director of operations at nCircle Security. "So it's a bit like a headless hydra, making its way aimlessly."

The most common vector, said Rains, is guessing the administrative password of an infected computer using a hard-coded list of simplistic passwords, such as "12345," "coffee" and "mypassword."

"This list is still being very successful," said Rains, who went on to cite Microsoft-collected data that showed that between 54% and 89% of all Conficker actual or attempted infections were conducted by abusing weak or stolen passwords.

"The call to action is pretty clear," Rains continued. "People inside organizations have to implement strong passwords."

In the 12th edition of its twice-yearly Security Intelligence Report, released yesterday, Microsoft offered companies ways to detect Conficker and clean their networks of the worm.

It also urged all Windows users to ensure they have applied the pertinent patch -- MS08-067 -- and for Windows XP and Vista machines, the March update that disables AutoRun.

The 126-page Security Intelligence Report can be found on Microsoft's website ( download PDF).

More information about Conficker is also available on the Conficker Working Group website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Andrew Corporation (Australia)AppleArbor NetworksGoogleHotmailMicrosoftnCircleSymantecTopicVeriSign Australia

Show Comments
[]