{"id":70458,"date":"2014-07-07T19:29:33","date_gmt":"2014-07-07T23:29:33","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-08-25T20:48:52","modified_gmt":"2021-08-26T00:48:52","slug":"conficker-worm-still-alive","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/conficker-worm-still-alive\/","title":{"rendered":"Conficker Worm – Still Alive"},"content":{"rendered":"
\"Conficker<\/a>After 6 years Conficker<\/a><\/strong> remains one of the top 3 malware<\/a><\/strong> that affects enterprises and small and medium businesses according<\/a> to Trend Micro’s<\/a> (TMICY<\/a>)<\/em> TrendLab<\/a>. They say 45% of malware-related spam emails they detected were related to Conficker. Trend Micro attributes this to the fact that a number of companies are still using <\/em>Microsoft’s<\/a> (MSFT<\/a>) Windows XP<\/a>, which is susceptible to this threat.<\/em><\/address>\n

6 years old <\/em>\"Conficker\"<\/a><\/h3>\n

For those that don’t remember our old friend Conficker (Trend calls it DOWNAD<\/a>) it can infect an entire network via a malicious URL, spam email, and removable drives<\/strong>. Larry Seltzer<\/a> at ZDNet’s<\/a> Zero Day<\/a> blog recalls<\/a> that Conficker was a big deal back in late 2008 and early 2009. The base\u00a0vulnerability caused Microsoft<\/strong> to release an out-of-band update<\/strong> (MS08-067 “Vulnerability in Server Service Could Allow Remote Code Execution”<\/a>) in October 2008<\/strong>. In addition, Conficker<\/a> has its own domain generation algorithm<\/a> that allows it to create randomly generated URLs.\u00a0 It then connects to these created URLs to download files on the system.<\/p>\n

Technically, Windows Vista and the beta of Windows 7, were vulnerable, but their default firewall configuration<\/strong>\u00a0mitigated the threat. It was Windows XP that was really in danger. Mr. Seltzer says that despite Microsoft’s patch, everyone knew that a major worm event was coming. When it came it was big enough that a special industry group (Conficker Working Group<\/a>) was formed to coordinate a response.<\/p>\n

\"45%Despite the unprecedented industry effort, Trend Micro observed that six years later<\/strong> (2014 Q2), more than 45% of malware-related<\/strong>\u00a0spam<\/strong> mails are delivered by machines infected by the Conficker worm<\/a>. Analysis by the AV firm of spam campaigns delivering FAREIT<\/a>, MYTOB<\/a>, and LOVGATE<\/a>\u00a0 payload in email attachments are attributed to Conficker infected machines.<\/p>\n

Over 1.1 million\u00a0IPs related to Conficker.<\/h3>\n

On Thursday, July 3 the Conficker Working Group detected +\/- 1,131,799 unique IPs<\/strong> related to Conficker. Whatever the number,\u00a0 it’s still a big number, for a 6-year old malware with a patch. Trend explains that the IPs use various ports and are randomly generated via the DGA ability of the malware. A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems.<\/p>\n

rb-<\/strong><\/em><\/p>\n

With Microsoft ending the support<\/a> for Windows XP this year, we can expect that systems with this OS will be infected by threats like Conficker for a long time to come. It is going to take years to work XP out of the system.<\/em><\/a><\/em><\/p>\n

\"End<\/a><\/em><\/p>\n

Even with an ancient OS, there are ways to prevent Conficker<\/em><\/p>\n

    \n
  1. Upgrade – Kudos to MSFT, Windows 7 has been resilient so far<\/em><\/li>\n
  2. Patch your systems<\/em><\/li>\n
  3. Keep Anti-Malware up to date<\/em><\/li>\n
  4. Stay away from shady places on the web<\/em><\/li>\n
  5. Be wary of email attachments – Don’t open what you don’t know<\/em><\/li>\n
  6. The Conficker Working Group has an easy way to check if your machine is infected with Conficker here<\/a><\/em><\/li>\n<\/ol>\n
    Related articles<\/h6>\n