Conficker: The Worm That Won’t Die

Conficker: The Worm That Won’t DieMore than nine years after it infected millions of systems worldwide, the malware continues to be highly active, according to a Trend Micro report.The Conficker worm has become the malware that just won’t die.
More than nine years after it was first spotted in 2008, the worm continues to be detected by anti-malware systems with enough regularity to suggest that it remains a potent threat for organizations, especially those in the manufacturing, healthcare, and government sectors.
In a report released this week, security vendor Trend Micro, which also calls the worm Downad, says its software has so far detected and blocked the malware some 330,000 times this year. That number is roughly consistent with Trend Micro’s 300,000 Conficker detections in 2016 and the 290,000 or so in 2015.
The detection rates are well below Conficker’s peak rates, when it was still young and new. In 2008, when it first appeared in the wild, Conficker infected an impressive 9 million systems worldwide, making it one of the most prolific malware samples of the year.
Even four years later, in 2012, Conficker notched up more than 2.5 million victims, putting it in the top malware category for that year, Trend Micro says. Since then, the number of infections has dropped substantially over the years as people have switched to more modern operating systems and better security tools. Still, in the past few years Conficker detections have held steadily at well over 20,000 per month, indicating it is still highly active.
No other malware has displayed this sort of longevity at this scale, says Jon Clay, director of global threat communications for Trend Micro. “Conficker seems to be the worm that won’t go away. It almost seems like it is self-generating and self-propagating at this point. As such, it is difficult to fully eradicate it,” Clay says.
公司应该对主机系统进行审计,妥善管理并及时分析处理审计记录。对重要用户行为、异常操作和重要系统命令的使用等应进行重点审计。
Much of its durability has resulted from the continuing use of systems running, old, unsupported and unpatched Windows software. Most of Trend Micro’s detections have been on systems running Windows XP, Windows 2000, and Windows Server 2003.
The three sectors where Conficker/Downad’s presence can be seen the most are healthcare, government, and manufacturing. Organizations in these industries typically have tended to be slower to make technology upgrades compared with their counterparts in other industries. Many of the organizations where Trend Micro has detected Conficker have been in developing countries such as Brazil, India, and China, which are well known for their fast-growing economies and manufacturing sectors, the company says.
No Theft InvolvedFrom an impact standpoint, Conficker/Downad does little of the stuff that modern malware does. It does not steal data, conduct surveillance, or spy on users. Rather, it infects systems for the sake of infection.
“Conficker is not meant for any profit,” Clay says. “It is a worm, and its purpose is to infect as many systems as it can. There is no data-stealing component associated with it and no destructive payload.”
网络安全法学习课堂
When it was first created, the malware was meant to infect as many systems as possible. “Today, nothing has changed, it still tries to do the same,” Clay says.
The worm propagates via removable media, network drives, and by attacking CVE-2008-4250, a flaw in the Server service in legacy Windows versions such as Windows 2000, Server 2002, and Server 2008. Though the flaw was patched in 2008, it still remains unpatched on thousands of old Windows systems worldwide. Trend Micro says that in October 2017 alone, it detected more than 60,000 systems with the vulnerability.
According to Trend Micro, once Conficker lands on a system, the malware puts a copy of itself in the recycle bins of all the drives that are connected to the infected systems network and removable drives. Conficker then takes actions that allow the malware to execute whenever a user browses an infected folder or drive. “It will then retrieve user account data from the connected systems by enumerating the available servers on a network. As a final step, it will perform a dictionary attack using a predefined password list on these accounts,” Trend Micro said. Like most well-designed malware, Conficker also takes steps to prevent users from removing it from their systems, including in some cases preventing them from visiting the websites of antivirus vendors.
Conficker continues to pose a threat to older legacy systems, which in many cases are not patched or cannot be patched by an organization, Clay notes. An example of such a system would be one that is maintained by a third party on behalf of an organization. Legacy systems with embedded operating systems are vulnerable, too. Though such systems might be functioning properly, they may not be able to support a security agent, Clay says.
“In these situations, the best defense is to utilize network IPS technology that can detect the worm on the network and block it from being copied onto the system,” he says.
Related content:
Panda Issues Orange Alert For Malicious Conficker Worm

Homeland Security Releases Conficker Detection Tool
Conficker Worm Worries Exaggerated
8 Most Overlooked Security Threats
网络上有太多匿名的丑行,特别是大量不负责任的言论,所以实名对于互联网的健康发展利大于弊,但是要实施它不仅面临复杂的技术和商业问题,更有很多社会问题需要协调解决。

猜您喜欢

安全安全活动周企业安全负责人员畅谈网络诈骗防范基础
隆重推荐4999元的信息安全意识课件——安全前线
LMS学习管理系统管理员快速操作指南
世界互联网大会
NATURALBODYBUILDINGEVENTS FLORIDAZONE
企业安全管理人员该如何进行积极的移动网络安全入侵防御呢?