Conficker: Still spamming after all these years

How pathetic is the security in many enterprises? Almost six years since the patch to stop it was issued, Conficker is still one of the most common threats.

A recent TrendLabs Security Intelligence Blog entry reminds us of just how immune some enterprises are to reasonable security practices. It turns out that Conficker (which they call DOWNAD, one of a few names for this threat) is still the most common form of malware found in enterprises and small businesses.

Conficker was quite a big deal back in late 2008 and early 2009. When Microsoft released MS08-067 ("Vulnerability in Server Service Could Allow Remote Code Execution") out of band on October 23, 2008, they were "...aware of limited, targeted attacks attempting to exploit the vulnerability." There wasn't any proof of concept code available, but the vulnerability — which allowed a remote compromise over a local area network of a vulnerable machine — was tailor-made for a network worm.

Technically, Windows Vista and the beta of Windows 7, then in circulation, were vulnerable, but several factors, mainly the default firewall configuration, mitigated the threat. It was Windows XP that was really in danger. And even though Microsoft had released a patch, everyone knew that a major worm event was coming.

When it came it was big enough that a special industry group (the Conficker Working Group) was formed to coordinate response. Conficker propagated through a crazy randomized domain name scheme that was shut down through coordinated industry action. Wikipedia has a good description of how it worked and how it was shut down. But that still left it other ways to propagate, such as through spam and network shares. In fact, Trend Micro says that 45 percent of malware-related spam emails they detected in Q2 of this year were delivered by Conficker systems.

How many of these are still out there? The Conficker Working Group still tracks Conficker traffic. On Tuesday, July 1 they detected 1,148,345 unique IPs, which isn't the same as the number of systems. It could be much larger or smaller, but in any case it's still a big number, certainly in the hundreds of thousands.

If I'm not mistaken, Conficker was the last of the great Windows worms, which underscores the other lesson to learn from this: Enterprise endpoints running modern operating systems (generally Windows 7) don't have much of a malware/vulnerability problem. For many reasons, such as more secure coding practices, automatic updating and better Internet Explorer versions, users really have to try in order to get themselves infected. As XP dies away, most of the malware problem will die with it.

But will it actually die? I would assume that so many users who are still running ancient, vulnerable and infected computers at this date will not stop using them until the system is as dead as the Titanic.

Remember, these systems are in businesses, many with actual IT departments. They are responsible for the problem persisting.