Old pieces of malware–especially successful ones–don’t really die. They typically will just sort of fade into the background as newer attacks come to the fore and grab the headlines. Such is the case for one of the more notorious headline-grabbing pieces of malware of all time: Conficker. Not only has Conficker not disappeared, attacks from the worm have actually started to increase again, according to new data.
In case you’ve purged it from your memory, Conficker emerged in late 2008 and made a major splash in the early part of 2009 when researchers discovered that the worm had an update scheduled for April 1. The update was just a new algorithm that would provide new C&C servers for the infected machines, but it somehow turned into weeks of speculative stories about the imminent meltdown of the Internet’s core. In reality, nothing much happened, excpet that computers continued to get infected by Conficker.
That was three years ago, and Conficker has largely fallen off the board in terms of attention. But that isn’t necessarily true when it comes to new attacks. Data compiled by Microsoft and published in their new quarterly Security Intelligence Report shows that the average number of attacks by Conficker on computers has grown from 15 in the first quarter of 2011 to 35 in the fourth quarter.
There have been cleaning tools available for Conficker for several years now and the vulnerabilities that the worm exploits have been patched for even longer. Microsoft’s research found that the huge majority of Conficker infections–92 percent–comes from stolen or weak passwords, and the rest come from exploits against flaws for which there are patches available.
“Once later variants of Conficker infect a computer, they attempt to spread by copying themselves into administrative shares of other computers on the network. First the malware tries to use the current user’s credentials to copy itself, but if that fails it attempts to exploit weak passwords; the worm uses a pre-existing list of common weak passwords that it carries with it. If that fails, Conficker remains dormant until new credentials are available. If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible. The combination of these credential-based attacks accounted for 100% of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms,” Microsoft’s Malware Protection Center said in a blog post.
Because of the way that Conficker spreads, it doesn’t take much for a corporate environment to get in to the weeds once a machine or two is infected.
“A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer,” Microsoft said.