Opening up a can of worms: Why won't Conficker just die, die, die?

The Conficker worm is now nearly seven years old but remains the most detected piece of malware on the internet. Despite a massive effort to squash it, why does it keep popping up again?
Written by Steve Ranger, Global News Director
Conficker is one of the best known and long surviving internet worms
Image: iStock

Conficker is the internet worm that just won't die. Nearly seven years after it was let loose on the internet, it remains one of the most encountered pieces of malware online, even if its main mission was probably a failure.

The worm exploits a flaw in Windows discovered back in 2008. Microsoft had published a patch for the problem before the first version of Conficker ever appeared - but the problem was that many consumers and businesses had failed to update their systems accordingly.

Microsoft revealed the flaw, and the patch for it in October 2008 and soon after, in late November, the first version of Conficker appeared, followed by four more variations by April 2009.

The worm spread rapidly by network shares and USB sticks, and at its height had infected somewhere around 11 million devices.

The worm caused chaos: it cost one UK authority £1.4m to recover from a Conficker infection in 2009, French fighter planes were grounded because of the worm, and one estimate put the global economic cost of the clear-up at more than $9bn.

It wasn't just PCs that were being infected. Paul Vixie, CEO of Farsight Security and part of the team that fought against the Conficker worm, remembers one security expert who phoned a hospital which had a Conficker infection, to help them identify which machines were affected. One device turned out to be a portable X-ray machine in an operating theatre, Vixie told a recent cybersecurity conference.

"It made us wonder what were the other 11 million of these things doing, what part of our digital society was now effectively depending on Conficker for part of its correct operation," he said.

The worm tries to protect itself by blocking access to security websites and switching off antivirus packages and Windows Security Alert notifications - which often leaves the PC vulnerable to other viruses as a result, adding to the headache.

But most of this was just collateral damage. As the worm spread, the fear was that it was rapidly creating a gigantic botnet of infected computers which then sat ready for instructions.

A botnet of this scale used to, for example, unleash a denial of service attack against large organisations or vital elements of internet infrastructure and had security experts dreaming up nightmare scenarios.

As a report from the cross-industry Conficker Working Group, set up to tackle the worm, later explained: "With millions of computers under its control, many security experts speculated as to what the author would attempt to do. The worst case scenarios were bleak. The worm, properly instructed, could credibly threaten critical infrastructure on the internet. Even the more benign uses could cause severe problems for the public or private sector."

Microsoft even announced a $250,000 reward for information that resulted in the arrest and conviction of those responsible for launching Conficker (the reward has not been claimed so far).

The Conficker botnet was never activated but became instead a victim of its own success. This makes it something of an oddity: it is the best designed piece of malware yet probably didn't make its authors any money at all.

Conficker is designed to communicate with its controllers by trying to connect to hundreds of different internet domain names each day: in response to the rapid growth of the worm infections, the tech industry made a massive effort to stop infected PCs from ever 'phoning home' for instructions by blocking thousands of internet domains.

Who created Conficker remains a mystery, although the worm probably originated in Ukraine as one version didn't infect systems with Ukrainian IP addresses or with Ukrainian keyboard layout.

Bob McArdle, manager of Trend Micro's Forward Looking Threat Research Team, said: "What happened with Conficker was it got a lot of attention from the security industry. Law enforcement worked together to really try and shut it down to the point where we're pretty sure that the gang who was running it essentially abandoned it. Essentially it got too hot and there was way too much attention on them and they walked away from it."

But even now, nearly seven years after the first variant of the worm was spotted, it continues to infect hundreds of thousands of PCs.

The Conficker working group estimates that Conficker traffic is still coming from 800,000 IP addresses, which means there are probably somewhere around 500,000 infected devices still in use.

According to Microsoft's own Security Intelligence Report, Conficker was the most commonly detected malware on business PCs (those connected to an Active Directory domain) in the last quarter of 2014, its most recently available figures.

"Conficker is a worm that was disrupted several years ago, but continues to be encountered in domain environments because of its use of a built-in list of common and weak passwords to spread between computers," the report noted.

In contrast, Conficker doesn't even make the top 10 list for malware on consumer devices - perhaps because Conficker spreads via networked drives and USBs, more common in a business environment.

According to security company F-Secure, Conficker is still the malware most likely to be detected by its software, accounting for 37 percent of what it calls 'upstream detections' worldwide. Its impact varies by region - in Europe, Conficker accounts for 27 percent of detections, whereas that rises sharply to 45 percent in Asia and 73 percent in the Middle East, likely because XP is still more widely used there.

Part of the reaons why Conficker is still topping the malware charts is because it is quite an attention grabbing piece of malware, triggering lots of alerts at is tries to spread. As Sean Sullivan, security advisor at F-Secure, explains: "A relatively small number of machines can create a lot of noise."

Conficker helped bring the tech industry together to share intelligence and tackle major threats, something they continue to do. In contrast, it taught virus writers a different lesson.

Staying under the radar is now the preferred option for malware businesses: "They have to gradually scale their business. If they grow too fast, they have competitors who want to take them out or they have law enforcement or antivirus firms that want to take them out. It's a funny business, success can be their undoing," said Sullivan.

Instead of building a botnet and renting it out, for example, to generate revenue, there's an increasing trend towards using ransomware: where malware encrypts the files on an infected machine and if users want to get access to their files again they have to pay a ransom, usually a few hundred dollars, to get the key. But even so, being too successful can still bring unwanted attention from the law

"You can't be too successful in the malware business, or you get taken down by law enforcement. [For example] the Gameover Zeus peer-to-peer botnet that was pushing Cryptolocker - Cryptolocker nailed a few too many midsized businesses in the USA and the FBI worked with international law enforcement to make sure they could disrupt that one," Sullivan said.

Even those criminals still in the botnet business have changed their tactics after Conficker, notes McArdle: "At its height, Conficker had tens of millions of machines, which is going to show up on everybody's radar. Nowadays we don't see that happening so much - a criminal gang may have access to tens of millions of machines, but if they do it, they will split it across multiple botnets even using different malware in each case so that worst case, if one of them gets shut down, they still have all of their other ones."

Windows 7 and 8 devices aren't vulnerable to the worm so it's the rump of Windows XP devices that are still causing trouble. Many of these are likely unpatched PCs and those running counterfeit versions of Windows which don't receive security patches. What's more, Microsoft stopped supporting XP as of last April.

If nobody has got round to clearing Confkicker off these PCs so far, they're not likely to do so now. That means Conficker is only likely to die off completely when these devices are finally switched off and thrown away. Considering how much some businesses seem to love the ancient and out-of-support operating system, that could be a while yet.

Conficker infections have been gradually declining for years now, along with usage of Windows XP. In the last year the total number of infections fell by around 400,000 to roughly 800,000. If that trend continues, it could be sometime in 2017 or 2018 before the worm finally disappears, marking the end of the biggest threat to the internet that never quite happened.

More on security

Editorial standards