Security watchers are bracing themselves to respond to the activitation of the huge botnet created by the Conficker superworm.

The malware has created a network of infected PCs under its control estimated at 9m or even more, according to the latest estimates — dwarfing the zombie army created by the infamous Storm worm, which reached a comparatively paltry 1m at its peak in September 2007.

Variants of Conficker (aka Downadup), which began circulating in late November, exploit the MS08-067 vulnerability in the Microsoft Windows server service addressed by Redmond with an out-of-sequence patch last October.

The malware also infects removable devices and network shares using a special autorun file. The worm uses social engineering trickery so that users on Windows machines looking to simply browse the contents of a memory stick may be tricked into selecting an option that actually runs a malware payload and infects their PC.

Some variants are programmed to spread across machines in the same local area network. Weak passwords in corporates have therefore aided the distribution of the worm.

The multiple infections techniques - none of which, incidentally, feature email — has fuelled the prolific spread of the worm. It’s been years since any worm has spread so widely. In many ways the Conficker worm epidemic represents a return to the bad old days of worms such as Nimda, Blaster and Sasser.

It only takes one rotten apple

In the case of Conficker, security watchers reckon the fact that the worm only needs to hit one infected machine in a network to spread goes a long way towards explaining its success. Slow patching, particularly in corporates, has also contributed to the epidemic.

“We haven’t seen this type of advanced worm in many years,” Eric Schultze, CTO of patching firm Shavlik Technologies told El Reg. “It’s successful because once a single machine is infected in a corporate environment, it can spread itself to all of the other corporate machines, whether they’ve been patched or not.

“In terms of damage it can do, some reports say the worm is a dud but I believe that it’s simply ‘sleeping’ and may be woken up at a future date to execute some set of evil instructions. Even if never executed, the worm turns off the windows update service and blocks access to many security vendor websites [blocking uptake of new antivirus signatures].

“To many, these actions alone may be considered malicious.”

Net security firm Sophos reckons that business users have been harder hit than consumers by the spread of the worm. The malware has caught some firms on the hop because they haven’t rolled out patches, it figures.

Superworms return

Theories on why we haven’t seen a worm of this type for three or four years are thin on the ground. It may be that writing such a worm (even if it pinches parts of its code from Metasploit, the open-source penetration testing tool) is simply too much like hard work.

“It’s more effort to write malware that exploits a new vulnerability than, say, regular executable malware that is emailed or shoved on web,” said Graham Cluley, senior technology consultant at anti-virus firm Sophos. “If email or web attacks work just fine, then why go to extra effort?”

“These guys aren’t doing it for intellectual challenge or showing-off. Money is the motive.”

Despite the noteable lack of network worms over recent years the approach — much like spreading computer viruses using infected email attachments — has always been an option for miscreants.

“Hackers never completely abandon old tricks,” Cluley continued. “They can always dust them off and use them again. For example, there was a huge increase is infected email attachments last year year. It’s a danger to think we have any particular attack strategy licked.”

Cluley, like other security researchers, credited Microsoft for releasing a clean-up tool in January after publishing a patch in October, while noting the software giant bears significant responsibility for creating the security vulnerability that allowed the worm to spread in the first place.

Defcon

Conficker infections have been detected in more than 80 countries with Spain, the USA, Taiwan and Brazil most hit, according to anti-virus firm Panda Security. One in 14 (six per cent) of 2m machines submitted to Panda’s online scanner are affected by the worm. This, of course, represents a sample of PCs where the owners have reason to think something might be wrong and so may not be representative of the internet at large. Nonetheless, it’s a huge figure.

The worm is confirmed to have hit a Sheffield hospital and is suspected of infecting UK Ministry of Defence systems, including local area networks on warships. Security watchers reckon that the more open nature of public-facing organisations explains why these attacks have hit the press. There’s no reason to suspect that private sector firms are any better protected against such attacks, as previous worm spreads have demonstrated time and again.

Few clues have emerged as to the identity of the authors of the worm. Sometimes code samples used by an item of malware bear the hallmarks of a particular virus writing gang, but no such evidence has materialised over the Conficker worm as yet. One of the few pointers is an observation by Panda Security that the infection originated in China a few weeks ago.

The Conficker worm is programmed to constantly update itself. The malware is designed to download new code onto infected machines through a large number of different and changing IP addresses, making it difficult to block.

“This is an indication that the worm authors are preparing to carry out a large scale attack in the near future using the infected machines,” said Dominic Hoskins, Country Manager, Panda Security UK.

Paul Wood, senior analyst at online security firm MessageLabs, which recently became part of Symantec, confirmed that Conficker is yet to be activated to send spam. “We’ve seen nothing directly from all these infections in terms of spam runs or denial of service attacks,” Wood told El Reg.

“The countries most affected by Conficker have a high percentage of pirated windows users, who may not be entitled to apply Microsoft’s patch. This could be a factor in the spread of the worm.” ®

Related stories

• Malware abusing Windows Autorun plummets (14 June 2011)

  https://www.theregister.com/2011/06/14/autorun_malware_plummets/

• Microsoft purges AutoRun from older Windows (14 September 2009)

  https://www.theregister.com/2009/09/14/more_microsoft_autorun_fixes/

• Conficker botnet remains dormant - for now (1 April 2009)

  https://www.theregister.com/2009/04/01/conficker_activation/

• Busted! Conficker's tell-tale heart uncovered (30 March 2009)

  https://www.theregister.com/2009/03/30/conficker_signature_discovery/

• Leaked memo says Conficker pwns Parliament (27 March 2009)

  https://www.theregister.com/2009/03/27/conficker_parliament_infection/

• Final countdown to Conficker 'activation' begins (26 March 2009)

  https://www.theregister.com/2009/03/26/conficker_activation_analysis/

• One in 20 corporate PCs infested by bots (5 March 2009)

  https://www.theregister.com/2009/03/05/botnet_epidemic/

• Conficker call-backs threaten to swamp legit domains (2 March 2009)

  https://www.theregister.com/2009/03/02/conficker_collateral_damage/

• Microsoft aims 'non-security' update at gaping security hole (25 February 2009)

  https://www.theregister.com/2009/02/25/microsoft_autorun_update/

• Conficker variant dispenses with need to phone home (23 February 2009)

  https://www.theregister.com/2009/02/23/conficker_variant/

• MS puts up $250K bounty for Conficker author (12 February 2009)

  https://www.theregister.com/2009/02/12/conficker_reward/

• Houston justice system laid low by Conficker worm (9 February 2009)

  https://www.theregister.com/2009/02/09/houston_malware_infection/

• Valentine Trojan onslaught blights inboxes (9 February 2009)

  https://www.theregister.com/2009/02/09/valentine_trojan_spam/

• OpenDNS rolls out Conficker tracking, blocking (7 February 2009)

  https://www.theregister.com/2009/02/07/opendns_conficker_protection/

• Fake parking tickets lead unwary to malware (5 February 2009)

  https://www.theregister.com/2009/02/05/car_flyer_malware_bait/

• ASProx botnet dials into Conficker domains (3 February 2009)

  https://www.theregister.com/2009/02/03/conficker_arbor_analysis/

• Unpatched web vulns turn internet into drive-by warzone (3 February 2009)

  https://www.theregister.com/2009/02/03/iss_web_security_survey/

• Three hospital worm infection dubbed 'substantive failure' (2 February 2009)

  https://www.theregister.com/2009/02/02/nhs_worm_infection_aftermath/

• US school in toothless Obama worm infection (30 January 2009)

  https://www.theregister.com/2009/01/30/obama_worm/

• Conficker botnet growth slows at 10m infections (26 January 2009)

  https://www.theregister.com/2009/01/26/conficker_botnet/

• Conficker Autoplay ruse gets teeth into Windows 7 (20 January 2009)

  https://www.theregister.com/2009/01/20/win7_autoplay_weakness/

• Conficker seizes city's hospital network (20 January 2009)

  https://www.theregister.com/2009/01/20/sheffield_conficker/

• MoD networks still malware-plagued after two weeks (20 January 2009)

  https://www.theregister.com/2009/01/20/mod_malware_still_going_strong/

• Three in 10 Windows PCs still vulnerable to Conficker exploit (19 January 2009)

  https://www.theregister.com/2009/01/19/conficker_worm_feed/

• Superworm seizes 9m PCs, 'stunned' researchers say (16 January 2009)

  https://www.theregister.com/2009/01/16/9m_downadup_infections/

• Prolific worm infects 3.5m Windows PCs (15 January 2009)

  https://www.theregister.com/2009/01/15/conficker_worm/

• Selfish worm targets month-old Windows flaw (26 November 2008)

  https://www.theregister.com/2008/11/26/conficker_attacks_windows/

• The strange decline of computer worms (17 March 2005)

  https://www.theregister.com/2005/03/17/f-secure_websec/

• MS NAP aims to kill off Nimda-style outbreaks (14 December 2004)

  https://www.theregister.com/2004/12/14/ms_adds_nap_partners/

• Windows worms tax ISPs (27 May 2004)

  https://www.theregister.com/2004/05/27/sandvine/