Deep dive into the 10-year old Conficker worm that continues to pose a threat worldwide
- The worm remains a potent threat for organizations especially those in the manufacturing, healthcare and government sector.
- The worm propagates via removable devices, network drives and by attacking the CVE-2008-4250 vulnerability.
Conficker, also known as Downadup, Downup or Kido, is a fast-spreading worm that targets the Windows system. The malware made a major impact after it affected hundreds of millions of unpatched Windows devices (MS08-067) around the world in November 2008.
Once installed, Conficker disables many security features and automatic backup settings, deletes restore points and creates a backdoor to receive instructions from a remote location.
The worm remains a potent threat for organizations especially those in the manufacturing, healthcare and government sector.
According to a report from F-Secure, the malware was initially designed to infect as many machines as possible, creating a massive botnet. These infected could later be used for numerous crimes that include spreading spam and scareware.
“It is likely that the Conficker Working Group effort to counter the spread did make it more difficult for the author to act with impunity, but the author did not seem to have tried his or her hardest,” said the Conficker working group created by the F-Secure firm.
The worm propagates via removable devices, network drives and by attacking the CVE-2008-4250 vulnerability. The flaw exists in the Server service of legacy Windows versions such as Windows 2000, Server 2002 and Server 2008.
Though the flaw was patched in 2008, it still remains unpatched in thousands of old systems. In 2017, more than 60,000 systems with the CVE-2008-4250 vulnerability was detected across the world.
Once the worm lands on a system, it creates a copy of itself in the recycle bins of all drives that are connected to the infected systems network and removable devices. Conficker then takes action to execute malware whenever a user browsers on an infected system.
“It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts,” said Trend Micro in a blog post.
Although the developer of Conficker worm is unknown, researchers have detected variants of the malware over the years.
The group behind the Conficker has been constantly working on updating the worm and there are now five different variants ranging from Conficker A to E.
The malware can spread by several means such as by copying itself to shared folders, or by exploiting the AutoRun utility of removal devices or by exploiting peer-to-peer network capabilities.
Why is it prevalent after all these years?
Despite being nearly a decade old, the worm finds popularity among the hackers given the areas on which it thrives such as legacy software and unpatched systems.
“Although it is not as exciting to the public eye as more modern malware such as WannaCry and Petya, it remains a persistent threat – and will continue to be as long as unsupported, unpatched legacy systems are still a regular part of an organization’s network,” said Trend Micro.
As long as the organizations, especially those in the public sector do not optimize their patching, attackers will be able to leverage easy vectors to attack their systems.