Conficker: Infamous Worm Turns 10 — and Is Still Detected in the Wild Today
Conficker is one of the most famous cyber security threats. On its 10th anniversary, we take a look back at this threat and how it impacted the infosec landscape.
The infamous Conficker worm celebrates its 10th birthday this week — with it having first been unleashed on the world on November 21, 2008.
In honor of this special anniversary, we decided to take a look back at the impact of this famous worm — detections of which we still see in the wild today.
Conficker, which Symantec detects as W32.Downadup, had a big impact following its debut a decade ago. One of the most notorious worms to ever hit the cyber security landscape, it infected around 15 million computers globally — to put that in some context, the WannaCry ransomware that caused such havoc last year infected around 350,000 devices worldwide.
There are five variants in total of the Conficker worm, all with slightly different capabilities. The last variant, version Echo, appeared in April 2009, about four-and-a-half months after the first instance appeared. Conficker targeted Windows systems in both homes and businesses.
Most Conficker variants used an RPC remote code execution vulnerability (MS08–067) to spread, which was very successful, even though Microsoft had released an out-of-band patch a month before Conficker appeared. Later versions of Conficker brute forced passwords for network shares with the help of a predefined list of 250 common passwords. The worm also copied a malicious DLL to removable media like USB drives that was programmed to start the malware automatically as soon as the stick was plugged into a Windows system. Fortunately, this is one way of spreading that no longer works on modern Windows systems.
Conficker also made heavy use of a so-called domain name generating algorithm (DGA) to allow the worm to check for updates. A later version added a peer-to-peer protocol over UDP to get rid of any weak central control points from its update process.
Conficker was a sophisticated worm — especially for its time — and it used a number of self-protection methods to prevent it being removed from the systems it had infected. For example, it checked all running processes on a device for any signs of security software and then tried to end those processes. It also disabled Windows updates and several system tools.
What was Conficker’s goal?
Despite its sophisticated approach, the end goal of Conficker has never been clear.
Initially the threat was simply spreading and updating itself, it didn’t do any damage other than some collateral damage — such as locking users out of their accounts due to its password brute forcing.
On December 1, 2008, a little over a week after it first appeared, Conficker tried to download a payload from a domain called trafficconverter.biz. However, this site was offline at that time, so we don’t know what the payload might have been — however, the website did have an affiliate program for misleading applications and fake antivirus in the past. April 1, 2009, was a date that watchers of Conficker expected a lot from, as the date had been hardcoded into the threat from the beginning. However, the day came and went without anything dramatic occurring.
Some variants of Conficker did download the Waledac spambot and SpyProtect, which was a fake AV scareware. However, by the time it did that Conficker had been removed from a lot of systems so the impact was minimal. This does indicate though that Conficker’s aim, like that of most cyber crime, was to make money. It may be that all the media attention gained by Conficker made those behind it uncomfortable, stopping them from carrying out their original intentions with the worm.
The identity of those behind the Conficker worm remains a mystery, despite the fact that Microsoft offered a $250,000 reward for information that would result in the arrest and conviction of those responsible — that bounty remains unclaimed to this day. A working group was established at the time to tackle the Conficker threat, which speculated that the threat might originate from Ukraine, but concrete evidence of this has never been found.
Conficker today
Despite its great age, we still see Conficker detections in the wild today. In 2015, the threat was detected on around 2 million devices. By 2016, this had dropped to 1.3 million detections, a reduction of just over one-third. In 2017, it declined to 840,000, another decline of approximately 33 percent.
To date in 2018, we have seen 300,000 detections, which means we will probably see 350,000 detections by the end of the year — roughly the same as WannaCry at its peak. If that rate of decline continues, we may no longer see Conficker detections by the end of 2020.
However, it is important to point out that a detection does not necessarily mean that the threat still does damage. A lot of the detections are only infection attempts, for example, when the worm tries to compromise a new machine by copying itself to the fileshare. This might be the case with one single infected machine that is constantly trying to infect the computers around it and so is generating a lot of noise over and over again. Also, there are no active command and control servers for Conficker at the moment that could send down new payloads, which limits the possible damage further. And, of course, any decent security software should block Conficker from spreading.
It’s likely that many of the computers that are still infected are old systems that have been running untouched for the last few years, such as medical devices or some industrial systems in a production site that can’t be upgraded. Since Conficker does not do any damage, such as encrypting files, for example, the compromised computer might still work normally, meaning those responsible for the computer may not even realize it is infected.
Some of these old computers that are embedded in industrial systems will likely never be updated, meaning old threats like Conficker are likely to only ever be fully wiped out as these legacy systems are slowly replaced and upgraded in years to come.
Will any of today’s threats be around in 10 years?
Things have changed in the IT security landscape, and today we are better at managing our IT systems, installing patches and so on. Law enforcement is also now very proactive when it comes to shutting down command and control servers, leaving many threats ineffective. However, threats that use common weak passwords to spread are likely to keep working for many more years — meaning we could still see the likes of Emotet around for several more years. Internet of Things (IoT) threats too have been causing lots of headaches in recent years, and with those systems often difficult to monitor and update, self-spreading IoT threats may hang around for a few more years to come too.
Whether any of these more modern threats have quite the staying power of Conficker, however, remains to be seen.
Want to find out more about Conficker and other old threats that are still around today? We have recorded a special edition of our Cyber Security Brief podcast taking an in-depth look at Conficker and other ancient threats — listen here.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
