Conficker: Still spamming after all these years

Conficker: Still spamming after all these years

Summary: How pathetic is the security in many enterprises? Almost six years since the patch to stop it was issued, Conficker is still one of the most common threats.

TOPICS: Security, Windows

A recent TrendLabs Security Intelligence Blog entry reminds us of just how immune some enterprises are to reasonable security practices. It turns out that Conficker (which they call DOWNAD, one of a few names for this threat) is still the most common form of malware found in enterprises and small businesses.

Conficker was quite a big deal back in late 2008 and early 2009. When Microsoft released MS08-067 ("Vulnerability in Server Service Could Allow Remote Code Execution") out of band on October 23, 2008, they were "...aware of limited, targeted attacks attempting to exploit the vulnerability." There wasn't any proof of concept code available, but the vulnerability — which allowed a remote compromise over a local area network of a vulnerable machine — was tailor-made for a network worm.

Technically, Windows Vista and the beta of Windows 7, then in circulation, were vulnerable, but several factors, mainly the default firewall configuration, mitigated the threat. It was Windows XP that was really in danger. And even though Microsoft had released a patch, everyone knew that a major worm event was coming.

When it came it was big enough that a special industry group (the Conficker Working Group) was formed to coordinate response. Conficker propagated through a crazy randomized domain name scheme that was shut down through coordinated industry action. Wikipedia has a good description of how it worked and how it was shut down. But that still left it other ways to propagate, such as through spam and network shares. In fact, Trend Micro says that 45 percent of malware-related spam emails they detected in Q2 of this year were delivered by Conficker systems.

How many of these are still out there? The Conficker Working Group still tracks Conficker traffic. On Tuesday, July 1 they detected 1,148,345 unique IPs, which isn't the same as the number of systems. It could be much larger or smaller, but in any case it's still a big number, certainly in the hundreds of thousands.

If I'm not mistaken, Conficker was the last of the great Windows worms, which underscores the other lesson to learn from this: Enterprise endpoints running modern operating systems (generally Windows 7) don't have much of a malware/vulnerability problem. For many reasons, such as more secure coding practices, automatic updating and better Internet Explorer versions, users really have to try in order to get themselves infected. As XP dies away, most of the malware problem will die with it.

But will it actually die? I would assume that so many users who are still running ancient, vulnerable and infected computers at this date will not stop using them until the system is as dead as the Titanic.

Remember, these systems are in businesses, many with actual IT departments. They are responsible for the problem persisting.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is so very sad and irritating

    Every IT department should have someone who works on the security of the network and analyzes existing computers for malware. In their downtime, they should read these articles :).
    Of course, I've worked in companies that had such a position. Usually the person was a little over focused on user's access to anything (web sites, software, servers, etc.) rather than making sure everything was kept updated with patches.
    • Not just IT

      The problem with Conficker is that you have to physically remove all infected devices from the network, clean them, patch them. If you miss one PC the whole thing starts again, as the PC that has been cleaned will be infected again before you can apply the patches.

      Try telling a large manufacturing concern that you need to stop their 24h shifts for a couple of days, take all PCs off line and slowly reintroduce them. It is "cheaper" for them to live with the infection. It is hard enough to do in a business that work 9-5. I had to spend 2 weekends doing the clean up on 3 sites.
      • I agree. I've seen Conficker in action in a large company.

        It's exactly as you described. It just would not happen with Linux, guaranteed.

        Windows allows itself to be constantly infected and many constantly suffer.
  • I refuse to fix Windows. it's pointless.

    Repairing infected Windows is a tremendous waste of time and energy. It's a black hole of wasted time.
    • I suppose I could refuse to fix windows

      But, my clients would fire me, and find someone who will. "Mine is not to question why . . ." All of my business is based upon customer referrals. If I refuse to help them, when they have problems, they are not going to feel very kindly toward me.
      • i can understand that need.

        But, for me it's more of a goal to take people off the speeding train that will absolutely derail down the line.

        I converted an adult program to Linux about 4 years ago and the computers have been working fine. I haven't received even one callback. I have kept in touch and everything is working fine. Getting someone on Linux means getting them away from worrying about infections, AV and maintenance. To me it's just the right thing to do. I've seen too many people needlessly suffer with Windows over the decades.

        Recently i installed Linux Mint 17 on a couple of hosed Win7 computers, a Dell All-in-one unit and a Gateway notebook. People transition fine and may have some apprehensions about using Linux. But, as time goes by and they hear of friends and relatives complain about infections and what they have to pay to remove them, they begin to truly appreciate the value of having and using Linux.
      • Most people are web oriented now anyway.

        For me, using web applications like are far superior to using TaxAct or other programs that require installation on the computer.
      • I bought a Pontiac Grand Am a while ago.

        I bought it for a family member and thought it would a great little car because it had a 4-cylinder engine and would be easy to work on. (I do most of my own maintenance and repair.

        It turned out to be a mechanical nightmare, it had what was called a "Quad 4" engine. Just replacing the water pump was a major operation that could cost $600. ... that is if you could find a mechanic that was willing to work on the car. The engine had to be disconnected and hoisted up to replace the water pump. I've had mechanics that were in business for over 30 years tell me they would not touch the car. Other mechanics said I would have to sign a special waiver that protected them basically by me agreeing to pay for anything else they broke while trying to fix the original problem. Bottom line, I learned a valuable lesson not to get involved with anything that used a "Quad 4" engine.

        Windows is obviously just like the above example. People generally aren't smart enough to realize how they are being totally abused with Windows. You can thank MS for their propaganda aimed at blaming users and other applications (including IE) for the maladies. Microsoft and many others blame the users for problems, when in reality, the same users can use Linux for many years without any problems. It's not the user's fault, the OS can't protect itself from random infections and relies on AV products. AV products that have proven to be ineffective. I can run the old IE-6 (unpatched) on Linux without any worries about security. What does that say about decades of MS blaming IE and other applications for infections?

  • I Don't Think This is Strictly a Windows Issue

    This article is all the more poignant, because Windows users and supporters should know better. With decades of experience concerning Windows malware it seems imbecilic to think that patches aren't applied. But considering that people aren't prone to poke themselves in the eye over and over again, I have to assume there is a logical reason for not patching. Since I don't know of anyone who uses, or supports, Windows and doesn't patch I have to turn to my Apple friends to find out why they don't patch, and the number one reason given for not patching is because patching breaks stuff.
    • The worst

      are businesses running Linux. They often say they don't need to apply patched, upgrade or even check their servers are secure, because they are running Linux.

      A SUSE install from 2001? That'll be fine, we've never patched it! :-(
      • And Apple

        There was talk in the blogosphere that Apple should be sued for giving consumers the impression that they are safe. We even have idiots online who insist that Apple never had a virus. Usually, these discussions end with someone providing a link to NIST or Symantec outlining how the vulnerabilities-of-the-month were mostly Apple products and, when someone suggested that they never have seen a reference to an Apple virus or they are waiting to hear about the first Apple virus, I usually provide them with a link and say, "Here you go!!" People believe that what they hear on the internet is true mostly because they WANT to believe. Then they carry this stuff over to their job and they mess up all of their customer base.
        • You are really looking at this the wrong way.

          If you work for a major software company you can see exactly what is really happening.

          1. The OS should not allow any infections. Applications should not be able to access or take over computers. This is what Linux does so well. Running unpatched IE-6 on Linux does not create any security issues. But Microsoft is vulnerable. Microsoft is lying when it blames applications for security issues. They know that the fault is always with a poorly designed OS. People start believing the applications are faulty, and it removes the focus on a defective OS, so Windows can continue to be sold as a viable os.

          2. When an application issue causes problems for Windows, the application is adjusted for Windows. This modification is now passed on to sister applications running on Linux and Apple. So when someone goes to a database and sees a vulnerability for Linux, it's something that is just housekeeping, because the actual vulnerability was on for when the app was used on Windows. Whatever the issue, it's also being fixed on versions for Linux and Apple, but it does not mean there was an actual vulnerability for Apple or Linux. Apple is much bigger financially than MS and Apple users (like Linux users) just don't have issues with infections or their computers being taken over maliciously.
      • I think you are tying to make a point, but can't come up with proof.

        I run Mint 17 Cinnamon on 7 computers at home. I run the update manager on my netbook, but it's never been because I was in the 11th hour trying to prevent a security problem or infection. I've been using Linux for 14 years without every using AV and have never seen any Linux box get infected and I subscribe to Linux Forums.

        Basically, what I see when I do update is updates for installed software like Chrome, Chromium, Firefox, LibreOffice, and generic Linux applications. i.e. enhancements to the programs. Linux is running fine without UEFI, secure boot, AV or any other protection products. It just does not get infected.

        Unfortunately, many people from the Microsoft ecosystem cannot understand that concept at all. They have been spoon fed MS propaganda that ALL OS's get infected and need extra protection. Which is absolutely not true. Microsoft does this to keep people believing that iniquity in the design of the OS is to be tolerated and expected.
      • When I scan a Win7 hard drive, I usually get 2,000 to 3,000 infections.

        People see modifications to applications to appease the Windows monster. ...When, really, the OS should be made secure. But Microsoft doesn't really do that. If you got involved with TDL-4 or Stuxnet you would realize that third party AV suppliers like McAfee and Symantec provide data and analysis to Microsoft for these infections and probably create and FedEX the patches to Microsoft. Microsoft isn't interested in security, they are interested in delegating responsibility and blame to third parties and minimizing expenses.

        Microsoft's philosophy on security is to hack out software as fast as possible with virtually no regard for security and sit back and wait for zero-day and other infections to happen. Then they wait for third parties to figure out the problem and offer ways to patch it. In the end, the consumer is the true victim and bears the costs of repair.

        Check out this Symantec analysis of Stuxnet and then tell me where Microsoft did any research to fix the problem. Basically the AV companies and Microsoft work together and feed each other, while the customer always is at risk.
    • Should Know Better

      The fact is, businesses, including the largest enterprises, don't care. I had a lecture from an upper executive that said that the ONLY important thing is getting the business need taken care of and on schedule. Security is not important. And then the FBI shuts you down, you get a big slap on the wrist and then it is business as usual. The problem is that the individual employees don't think that it may be THEIR personal data that is on the line. If it is someone else's, who cares?! Lose a laptop and report it, you get another FBI and DHS investigation. New rule: don't ever report it again..
  • Some people just don't want to know.

    The platform doesn't matter. "There's work to be done and I don't need all the hassle of some update or whatever that I don't understand and probably don't need anyway." What can you do? Any attempt at an explanation or a fix puts you in the position of just being another problem that isn't wanted.
    • Bingo!

      Exactly. A whole generation of lazy idiots. All they want are things to make their lives easier even if they destroy the lives of others.
      • It's wise to be careful.

        Windows survival relies on the company blaming users for intrinsic faults. Items installing themselves don't require user intervention. Put the same person on Linux and there are no problems.

        Microsoft relies on it's success at blaming users, AV companies, applications, etc. People posting here play right along with that false concept and disparage users for Microsoft problems that are directly the only result of a poorly designed OS.