Archive for the ‘SIR v12’ Category

SIRv12: The obstinacy of Conficker

April 25th, 2012 No comments

Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011 – three years after its initial release – it attempted to infect just over 1.7 million computers. Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth quarter of 2011. But perhaps the most interesting manifestation of its obstinacy is that it has been the number one threat facing businesses for the past two and a half years.

Conficker affects a higher percentage of business computers than consumer computers

Figure 1. Conficker affects a higher percentage of business computers than consumer computers

The nature of how later Conficker variants spread is the key to understanding what makes the worm so much more of an issue for businesses than for consumer users. Initially the worm spread through the Internet solely by exploiting a software vulnerability in the Windows Server service that had been addressed months earlier in Microsoft Security Bulletin MS08-067. About one month later, Conficker was updated to spread using the Autorun feature and weak passwords or stolen login tokens. The use of weak passwords and stolen login tokens was the change that gave it a foothold in the business sector environment.

Once later variants of Conficker infect a computer, they attempt to spread by copying themselves into administrative shares of other computers on the network. First the malware tries to use the current user’s credentials to copy itself, but if that fails it attempts to exploit weak passwords; the worm uses a pre-existing list of common weak passwords that it carries with it. If that fails, Conficker remains dormant until new credentials are available. If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible. The combination of these credential-based attacks accounted for 100% of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms.

How Conficker spreads through corporate networks

Figure 2. How Conficker spreads through corporate networks

Despite Microsoft removing Conficker from approximately 283,000 computers per quarter on average for the past year, the worm continues to be persistent. As an illustration of this, the average number of attacks per system throughout 2011 is on the rise. During the first quarter of 2011 the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35.

The average number of Conficker attacks per system is on the rise

Figure 3. The average number of Conficker attacks per system is on the rise

One of the primary ways to defend against Conficker is by enforcing a strong password policy. A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer. If the worm does get inside a network, a good guide to cleaning it out can be found in the How-to: Removal of Conficker in your FCS environment blog post. Along with strong passwords, it is important to keep systems up to date by regularly applying available updates for all software being used and to use antivirus software from a trusted source, and make sure AV signatures are regularly updated.

You can find more information there on the obstinacy of Conficker in our latest Microsoft Security Intelligence Report volume 12 that launched today, as well as other global and regional trends in Internet security.
– Joe Blackbird, MMPC


Categories: conficker, MS08-067, SIR v12, weak passwords Tags: