The Microsoft RPC worm, known by many as Conficker/Downadup, has multiplied across corporate networks infecting an estimated 10 million machines. Though the damage has been minimal, the worst is yet to come, said researchers.
The fledgling botnet is set up. Zombied machines are awaiting orders. But so far communication from the attacker has been silent. Security researchers are tied into the more than 200 IP addresses being used to connect the attacker to the infected machines.
"There's no telling what kind of damage this could inflict," said Derek Brown, a security researcher with TippingPoint's DVLabs. "We know that this is usually financially motivated, so we're just waiting to see what happens next."
Brown said the worm's proliferation reached a peak more than a week ago when those who were slow to install Microsoft's MS08-067 patch finally got it deployed. But it continues to slowly build its base on corporate networks by spreading via USB sticks and other storage devices. Even if corporate systems and endpoint machines are fully patched, the worm can still infect a machine on the network and spread using mapped drives, Brown said. Adding to the frustration is Conficker/Downadup's code base, which contains a password cracker that has been successful in companies with weak password policies. The code also contains commands directing the worm to check multiple IP addresses to spread where it can find a hole.
Conficker/Downadup worm timeline:
Jan. - Microsoft RPC worm spreads in corporate networks: A worm, exploiting the Microsoft RPC vulnerability, is wreaking havoc on some corporate networks, according to researchers at security vendor, F-Secure.
Dec. - Microsoft learns of successful RPC worm infections: Microsoft said a number of customers are infected with worms that successfully exploit the RPC flaw and download malware.
Nov. - New malware exploits Microsoft RPC flaw: New malware is targeting the Microsoft RPC flaw, Microsoft warns. Companies should deploy the emergency patch immediately to prevent hacker attacks.
Oct. - Microsoft releases Windows patch to stop worm attack:Microsoft issued an out of cycle update, plugging a dangerous hole that could be used to craft a worm attack.
Once a machine is infected with the worm it relays a message back to the host, detailing location among other information about the victim's machine. Brown said the worm writer should be able to make a profit on the black market by breaking up the botnet and selling it by location.
By comparison, the Microsoft Blaster worm of 2003 exploited a service vulnerability that was similar to the one being exploited by the Conficker worm. Blaster exploded onto the Internet, said Thomas Cross, a security researcher with IBM ISS' X-Force security team. Blaster reached its propagation peak within eight hours of its first appearance. Most of the hosts that were infected were infected within one week.
"Conficker did not propagate nearly as efficiently," Cross said. "This worm didn't become a major story until January."
In Janauary, the worm's author added the extra propagation vectors -- the AutoRun and file share capabilities with password cracking. The worm has been effective because it's taking advantage of the file sharing and poor password management that is prevalent in many businesses.
"People are much better at managing vulnerabilities in 2008 and 2009 than they were in 2003," Cross said. "People are more proactive in updating their machines. They've got automated Windows Update, they've got IPS systems in place and so they're doing a better job with vulnerability management."
Cross said the damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines, security professionals will be able to measure the extent of Conficker's destruction.
Experts agree that worm propagation and exploitation is primarily a financially motivated method of attack.
"The days of people doing this because they're bored are mostly over," Cross said. "We would expect that the person who controls this thing will try to auction off parts of the network that they have created."
The attacker can issue orders to install spyware on victims' machines to collect bank login credentials or credit card numbers. They could use hundreds of thousands of machines to conduct a denial-of-service vulnerability against a specific website or business, or they could see if the worm was successful in infiltrating a specific network and try to gain access to critical files, Cross said.
"We don't know who controls this thing and what their motivations are," Cross said. "Who knows what's going to happen."