Microsoft Conficker worm hits peak, but payload awaits

By Robert Westervelt, News Editor 28 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Microsoft RPC worm, known by many as Conficker/Downadup, has multiplied across corporate networks infecting an estimated 10 million machines. Though the damage has been minimal, the worst is yet to come, said researchers.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The fledgling botnet is set up. Zombied machines are awaiting orders. But so far communication from the attacker has been silent. Security researchers are tied into the more than 200 IP addresses being used to connect the attacker to the infected machines.

"There's no telling what kind of damage this could inflict," said Derek Brown, a security researcher with TippingPoint's DVLabs. "We know that this is usually financially motivated, so we're just waiting to see what happens next."

Brown said the worm's proliferation reached a peak more than a week ago when those who were slow to install Microsoft's MS08-067 patch finally got it deployed. But it continues to slowly build its base on corporate networks by spreading via USB sticks and other storage devices. Even if corporate systems and endpoint machines are fully patched, the worm can still infect a machine on the network and spread using mapped drives, Brown said. Adding to the frustration is Conficker/Downadup's code base, which contains a password cracker that has been successful in companies with weak password policies. The code also contains commands directing the worm to check multiple IP addresses to spread where it can find a hole.

Conficker/Downadup worm timeline: Jan. - Microsoft RPC worm spreads in corporate networks: A worm, exploiting the Microsoft RPC vulnerability, is wreaking havoc on some corporate networks, according to researchers at security vendor, F-Secure. Dec. - Microsoft learns of successful RPC worm infections: Microsoft said a number of customers are infected with worms that successfully exploit the RPC flaw and download malware. Nov. - New malware exploits Microsoft RPC flaw: New malware is targeting the Microsoft RPC flaw, Microsoft warns. Companies should deploy the emergency patch immediately to prevent hacker attacks. Oct. - Microsoft releases Windows patch to stop worm attack:Microsoft issued an out of cycle update, plugging a dangerous hole that could be used to craft a worm attack.

Once a machine is infected with the worm it relays a message back to the host, detailing location among other information about the victim's machine. Brown said the worm writer should be able to make a profit on the black market by breaking up the botnet and selling it by location.

By comparison, the Microsoft Blaster worm of 2003 exploited a service vulnerability that was similar to the one being exploited by the Conficker worm. Blaster exploded onto the Internet, said Thomas Cross, a security researcher with IBM ISS' X-Force security team. Blaster reached its propagation peak within eight hours of its first appearance. Most of the hosts that were infected were infected within one week.

"Conficker did not propagate nearly as efficiently," Cross said. "This worm didn't become a major story until January."

In Janauary, the worm's author added the extra propagation vectors -- the AutoRun and file share capabilities with password cracking. The worm has been effective because it's taking advantage of the file sharing and poor password management that is prevalent in many businesses.

"People are much better at managing vulnerabilities in 2008 and 2009 than they were in 2003," Cross said. "People are more proactive in updating their machines. They've got automated Windows Update, they've got IPS systems in place and so they're doing a better job with vulnerability management."

Cross said the damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines, security professionals will be able to measure the extent of Conficker's destruction.

Experts agree that worm propagation and exploitation is primarily a financially motivated method of attack.

SearchSecurity radio:

"The days of people doing this because they're bored are mostly over," Cross said. "We would expect that the person who controls this thing will try to auction off parts of the network that they have created."

The attacker can issue orders to install spyware on victims' machines to collect bank login credentials or credit card numbers. They could use hundreds of thousands of machines to conduct a denial-of-service vulnerability against a specific website or business, or they could see if the worm was successful in infiltrating a specific network and try to gain access to critical files, Cross said.

"We don't know who controls this thing and what their motivations are," Cross said. "Who knows what's going to happen."

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary