Posted August 26, 2014
Conficker May Not be a Risk…But its Host is!
– by Jason Lewis
My recent blog post on infections on the CHS network generated a lot of questions and criticism. The most common response to the post was that Conficker is dead and evidence that it exists is irrelevant. There are multiple variants of Conficker and for ease of discussion, I will refer to all of them as Conficker. The vulnerability that Conficker exploited has long been fixed; Microsoft patched it in 2008, which dismantled the command and control (C2) issue. Unfortunately, a decent number of Conficker infected hosts still exist. To be exact, for August 2014, Lookingglass has observed 9+ million unique IPs performing callbacks for Conficker. To put this in perspective, LG tracks between 35-40 million unique IPs monthly, 22 percent are infected with Conficker. TWENTY-TWO PERCENT! Conficker itself is not a threat; it’s the host that’s infected that we need to worry about.
There are security analysts that don’t take Conficker seriously. It’s easy to see why; the infection is mostly inert. When the Conficker vulnerabilities were found, Microsoft worked quickly to provide patches. On Windows XP, those patches were eventually rolled into Service Pack 3. Additionally, most variants of Conficker disabled auto update and anti-malware applications. This means that infected systems no longer get automatic software updates and the anti-malware software will never do its job. The side effect of these actions is that systems are forever stuck on whatever patches they had when they were first infected. It also means that these systems are susceptible to any vulnerability found since the Conficker exploit. The net result is millions of systems that are stuck in 2008, just waiting for the next piece of malware.
Lookingglass has correlated DDoS hosts with Conficker infections. We’ve observed hosts with active trojans and other malware alongside Conficker. The takeaway is that a host with Conficker is likely to be infected with other malware and is open to be exploited by yet to be developed threats. It’s like cyber flotsam just waiting for an attacker to claim. The threat isn’t Conficker. The threat is the host that has been turned into a liability and a launch point for the next big threat. 9 million unpatched computers just waiting…