8 Reasons Conficker Malware Wont Die

  /     /     /  
Publicated : 22/11/2024   Category : security


8 Reasons Conficker Malware Wont Die


Poor corporate password practices and continuing use of Autorun help explain why eradicating this three-year-old worm has been so difficult.



Obstinate. Thats how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive--and even thrive--in corporate networks.
As recently as the fourth quarter of 2011,
Conficker variants
launched 59 million attacks against 1.7 million unique PCs, according to the latest installment of the
Microsoft Security Intelligence Report
, which reviewed attack trends for the second half of 2011. Whereas most malware disproportionately affects consumers, the report found that Conficker is more prevalent on domain-joined computers, meaning business machines.
Here are eight reasons why killing Conficker remains so tough:
1. Conficker was built to topple business networks.
Conficker is designed to persist. All of the worms payload traffic is encrypted, making infections difficult to spot. The worm can also disable many types of free antivirus software as well as Microsoft Windows Update, thereby disabling automatic security updates. That not only buys the worm time to spread, but can provide a
toehold for other malicious software
, thus compounding businesses security problems.
[ Is Apples Walled Garden Approach To Security Becoming Obsolete? Read more at
After Flashback, Apple Walled Gardens Wont Help
. ]
2. The worm spreads via Autorun.
More recent variations of Conficker attempt to auto-execute via Autorun, which helps it spread not just via network shares, but also USB keys and other types of removable storage. Accordingly, Microsoft has recommended
disabling Autorun
.
3. Weak passwords help Conficker.
When Conficker first infects a PC, it attempts to use the users current credentials to copy itself to administrative shares, thereby spreading the infection. If that fails, the worm switches to a more aggressive approach. Conficker has a small dictionary of passwords that is used in a brute-force attack against other machines in the network, and it continues to be surprisingly effective, said Wolfgang Kandek, CTO of Qualys, in a
blog post
. How weak or common are these passwords? Try words or numbers such as 0000, 1111, Admin, and coffee. [Confickers] dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding [numbers] and special characters to only alpha-type passwords, he said.
4. Conficker can remain dormant.
If, after trying all of the above, Conficker still fails to spread to admin shares, it will simply hibernate. What brings it back to life? That would be an administrator, using
admin credentials
to log onto the machine, perhaps while investigating a users reports of suspicious behavior. Once the PC has been accessed using admin credentials, the worm will again attempt to use these permissions to copy itself around the network.
5. Conficker spreads without bugs.
Most malware targets known vulnerabilities. But according to Microsoft, the above password-attack vectors accounted for 100% of all recent infection attempts from Conficker targeting ... users on Windows 7 and Windows Vista platforms. Likewise, 91% of Conficker attacks against Windows 2003 machines targeted passwords, while only 9% targeted a
vulnerability patched by Microsoft in October 2008
.
6. Repeat outbreaks are common.
Confickers continued spread highlights the ongoing use of
weak passwords
. During the first quarter of 2011, the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35, reported Microsoft. The sheer volume of repeat attacks suggest that businesses are failing to eradicate Conficker from every PC inside the enterprise after they detect an infection. As a result, copies of the worm persist, triggering subsequent outbreaks.
7. Virtualization may stoke the worms spread.
Some security watchers see virtualization as another culprit behind Confickers continued existence. VM sprawl--or the idea that a virtual machine can be easily created and then archived--means there are many virtual machines offline without security updates. Then, when these machines are brought back online, they can get re-infected very easily, said Kapil Raina, a director at Zscaler, via email. With todays move to the cloud and leveraging services like AWS EC2, there are many, many virtual machines without proper patching. Its like a time bomb waiting to happen when they come back online.
8. Businesses ignore security basics.
Want to keep Conficker out of your enterprise? Keep antivirus definitions up to date, disable Autorun, and assess any potential risk you could face if your company uses outdated, virtualized operating systems.
Finally,
get tough on passwords
. A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer, said Joe Blackbird of the Microsoft Malware Protection Center (MMPC), in a
blog post
.
InformationWeek is conducting a survey to get a baseline look at where enterprises stand on their IPv6 deployments, with a focus on problem areas, including security, training, budget, and readiness. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our
InformationWeek IPv6 Survey
now. Survey ends May 11.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
8 Reasons Conficker Malware Wont Die