The Conficker Worm: The Worm that Refuses to Die
Over the last decade numerous worms have infected a very large number of systems. In many people’s minds, no worm was more prolific than the MSBlaster worm and its numerous variants, which according to some estimates infected over one million Windows systems. Afterwards several worms such as the Beagle and Sober worms and their variants surfaced and spread widely for a substantial period of time, but then to the relief of the information security community, they died, and then fewer and less prolific worms started to emerge. Just as this community started to take the worm threat less seriously and began instead to turn its attention to other threats, the Conficker worm, also called the Downadup worm, struck. This worm is by far the most widely spread computer worm ever. Since surfacing in November 2008, Conficker and its variants have according to numerous estimates compromised more than 11 million Windows systems, including a remarkable 1.1 million of these systems in just a 24-hour period last January.
As I write now the end of Conficker is nowhere in sight. Part of the reason is that Conficker exploits a vulnerability in the Windows Server service (described in Microsoft Security Bulletin MS08-067) that allows execution of rogue code if a system receives a specially formed Remote Procedure Call (RPC) request. This vulnerability is found in Windows 2000, Windows XP, and Windows Server 2003. Although a Microsoft-supplied patch has been available since last October, a surprisingly large number of Windows systems remain unpatched, and as such are prime targets for Conficker. Additionally, Conficker attempts to exploit weak passwords to obtain unauthorized remote Administrator-level access to Windows systems via the built-in Administrator share. Bad passwords are also abundant. Conficker thus has a very target-rich environment.
Other less successful worms of the past have also exploited the ones that Conficker exploits, so simply being programmed to exploit these vulnerabilities does not really account for this worm’s astounding success. Conficker’s success is instead in large part due to its using “drone” versions of its code, versions that are installed on pre-selected sites to harvest domain names to be targeted in subsequent attacks. A variant of Conficker.B actually distributes its code without actually publishing it on pre-selected sites, thereby hiding the code from malware analysts who are intent on reverse engineering it and defending networks that Conficker will target next.
As the number of infections continues to grow, information security professionals are being forced to re-think their approach to countering worms and other types of malware. Conficker got right through systems that ran a variety of endpoint security tools (including the Windows firewall) if the MS08-067 patch was not installed. Numerous anti-virus products also failed to detect and eradicate variants of this worm. Additionally, Conficker shows that worms are not just a threat from yesteryear. Pandora’s Box has been opened again, and it is not likely that it will be closed any time soon. Defensive measures will be developed to counter the problem, but then malware writers will find ways to circumvent or defeat these measures. The best single solution would be for Microsoft and other operating system vendors to finally build malware-proof operating systems, but I would not hold my breath waiting for this to occur. Meanwhile, you can count on more epidemics such as the Conficker outbreak plaguing the Internet in the unforeseeable future.