Conficker: How Scared Should We Be?

A major update is due for Conficker on Wednesday. But should we fear such a well-understood piece of malware?

“I don’t think that the threat comes from the worm itself, it comes from the people that are in control of the mass of Conficker-infected systems,” said Adriel Desautels, CTO of Netragard. “Those people have an immensely powerful weapon at their disposal, and that weapon threatens all of us.”

But how serious is the threat?

Despite the continued evolution of the worm, there are tools to remove the Conficker infection, and a patch for the Windows vulnerability it exploits. It seems enterprises should have a good handle on the worm. Whether they do or not may depend on who you ask.

Conficker is as far from being a major problem in the typical enterprise, according to Damballa, a company focused on botnet detection: “We do see Conficker compromises in enterprises, but they comprise a minority of the total number of compromises we see in these environments,” said Tripp Cox, vice president of engineering for Damballa. “The majority is the long tail of smaller botnets.”

Conficker, Cox noted, was neither a targeted nor a “low-and-slow” attack, so existing defenses performed reasonably well.

“Our experience with enterprises has been that they tend to do a good job of patch management, which diminished the propagation effects of Conficker in their networks,” he explained. “What compromises did occur, most enterprises were able to quickly track down based on their noisy, brute-force attempts to guess employee passwords.”

Still, millions of PCs have been infected. In February, Fortinet’s threat research team estimated there were about 100,000 exploit attempts each day from Conficker. For March, there has been a slight drop in exploit attempts, but Fortinet expects that number to jump back up in April.

“You would have thought that something like Conficker would be a non-event for enterprises,” said Mark Harris, global director of SophosLabs. “The patch was available early, it should be very straightforward to patch it, it spreads by no password or very, very simple ones … I think the experience that we’ve had over the past couple months is that security policies within organisations are not as good as they think they are.”

Given that it is unknown how Conficker will update itself next, enterprises still need to be on the alert for the worm’s next move. It should be noted though that while Conficker C will begin contacting new domains April 1, the actual update could theoretically be unleashed much later.

“As long as the hacker has not activated any domain, the worm cannot find any active one and thus the return of Conficker will never happen,” Nguyen Tu Quang, CEO of BKIS (Bach Khoa Internetwork Security), said in a statement. “In short, the return of the worm may be on April 1, 2, 3 … or even any arbitrary day, depending on the hacker.”

Quang was optimistic that the efforts of those fighting Conficker—the code of which BKIS researchers say is related to 2001’s Nimda worm—will make a difference.

“We also observe that with their great efforts, Microsoft and Conficker Cabal … have successfully taken control of at least 13 percent [of the] domain names that the Conficker writer may use,” Quang said. “That also means the spreading rate of the worm will be reduced by about 13 percent when it returns.”