Derided and ignored, Conficker may have had the last laugh
Derided and ignored, Conficker may have had the last laugh

They say the old ones are the best ones. Now malware from nearly ten years ago appears to be having the last laugh, as the Conficker worm returns to aid in infecting machines with WannaCry.

Conficker was first detected in 2008 when it hit millions of computers in over 190 countries. According to Rodney Joffe, senior cybersecurity technologist at Neustar and US government Cybersecurity Intelligence Panel member, who led the original Conficker Working Group, machines that have old Conficker on them were “targeted after the launch of WannaCry by intelligent criminals who realised that the Conficker machines were unpatched, had been originally compromised by the SMB vulnerability, and they started sinkholing Conficker domains to generate a list of vulnerable targets, and they went after them.”

In an exclusive interview with SC Media UK, Joffe said that Conficker was derided and ignored by many organisations six or seven years ago, because aside from the first couple of events, people said it doesn't do anything anymore, so why go through the bother of rebuilding a machine just for it?

“This is the wrong attitude, and has supported the ongoing existence of a ticking cyber time-bomb,” he said. The Conficker Working Group has continued to monitor Conficker infected systems via the DGA (Domain Generation Algorithm) process of infected machines. He said that there has continued to be around 600,000 infections per year for at least the past five years.

“Yes, even today! In addition, we continue to receive reports and see telemetry confirming that new systems continue to be infected as old ones are taken offline, or just replaced because of age. But the number stays pretty constant.”

Joffe said that WannaCry makes use of the Port 445 SMB vulnerability and the criminals responsible for WannaCrypt no doubt understand this.

“So as expected, either inadvertently or by design and reconnoiter activities, a measurable number of machines that are infected by Conficker have now also been hit with WannaCry. Most of these machines would have likely been protected if the operators had taken the necessary steps to remove Conficker and implement the recommendations for Conficker,” he said.

Joffe added that it is highly unlikely that any machines that were disinfected properly from Conficker would have been affected by WannaCry or any of the other two or three variants utilising the SMB vulnerability because they would have been patched because of the Conficker remediation.

“We see NO evidence that Conficker has been activated and used as a delivery method. But it is certainly a major enabler of WannaCry,” said Joffe.

Joffe said that the moral of the story was “don't ever again leave malware on a system because it seems to have run its course”.

“Make sure you now go and remove Conficker from systems that are still infected. This will happen again. Remember that from the day your system got or gets infected, it will stop doing updates or patching.  The bad guys can see that readily,” added Joffe.

Ian Trump, head of security at ZoneFox, told SC that it is yet to be seen if this is a true reactivation or more of a renewed awareness of one of the most virulent and dangerous pieces of malware ever released,” said

He added that Conficker remains an extremely dangerous piece of software, given its advanced technical ability to hide its presence, hamper removal and promote its spread. Trump said that WannaCry's spread in comparison utilised a publicly known exploit and dropped a single payload of ransomware. Analysis has indicated the inclusion of code attributed to Lazarus, a North Korean APT group.

“For me, I find it highly unlikely the authors of Conficker and WannaCry are related,” said Trump.

Trump added that what is similar between the two is their ability to spread an infection from one machine to the another – rapidly.

“WannaCry is a ‘one-trick pony' with a single exploit of the SMB V1 protocol called EternalBlue which then landed the DoublePulsar Trojan and finally the ransomware payload. Conficker on the other hand focussed more on the brute force of password capabilities and other exploit methods to spread,” added Trump.

Simon Edwards, European cyber security architect at Trend Micro, told SC that one of the Shadow Broker releases included a ‘new' version of Conficker (Eclipsed Wing) which would connect it to the exploit used for WannaCry.

“The exact reason as to why this has been released is still being worked out, but sadly there are still lots of machine the globally vulnerable to the attack,” he said.

The vulnerabilities it targets are OPS_MS08-067_ Server_ Service_ Path_ Canonicalization_ Exploit; CVE-2008-4250 and  MS08-067. As can be seen from the dates, these are targeting very old (2008) vulnerabilities, which you would hope would have been patched ages ago,” said Edwards.

“However, Trend has seen samples of this onsite in the NHS; the samples use Domain Generation Algorithms to communicate to C&C servers so generate quite a lot of network traffic. Once again patching is critical, but once again (in the case of the NHS specifically) this might not be possible for systems running critical medical equipment.”