Incident Response, Malware, TDR

Thanks to weak passwords, Conficker worm still rampant

The worm responsible for causing one of the worst-ever malware outbreaks on Windows systems is still hanging around.

Conficker, a worm first discovered in November 2008 and primarily found on corporate PCs, is again becoming a major threat for businesses, according Microsoft's biannual "Security Intelligence Report.”

The malware was initially spread by exploiting a vulnerability in Windows Server service, but although that defect was patched nearly three years ago, researchers are witnessing a continued spike in attempts to infect new machines.

In the fourth quarter of 2011 alone, Microsoft analysis determined that Conficker tried to infect 1.7 million computers, a 225 percent increase since the first quarter of 2009. Since that year, Conficker has been detected on 220 million computers worldwide.

"The infection rate isn't rising, but the detection rate is, i.e. the number of systems reporting that Conficker attacked them has increased," Tim Rains, director of product management at Microsoft's Trustworthy Computing group and co-author of the report, told SCMagazine.com on Wednesday in an email. "What that means is that machines are getting bombarded constantly by Conficker to try to infect. Users should immediate practice good computer hygiene."

According to the report, there are three primary ways in which Conficker spreads: through weak and stolen passwords, by exploiting unpatched vulnerabilities, or by attempting to abuse the AutoRun feature in Windows.

Of the trio, 92 percent of the infections occurring from July through December 2011 were caused because of flimsy passwords, the report said. That's because the malware's code has a built-in list of common passwords used in the enterprise, such as “admin1,” “changeme,” and “password123,” states the report.

“The use of these weak passwords in enterprise today is very concerning,” he said. “Not only will this allow broad-based attacks to spread, but it also allows targeted attacks by determined adversaries to be just as successful.”

There has not been a new variant of Conficker in more than two years, mostly thanks to efforts by an industry collaboration known as the Conficker Working Group to reverse engineer the malware's code and divert bot traffic to its own servers rather than to domains controlled by the attackers.

Still, many in the enterprise are fighting the worm, which can perform malicious actions, Rains said.

"It uses the system as a platform to try to infect other systems," he told SC. "Some variants of Conficker disable security settings, block access to particular websites, and can receive commands, updates and new malware through its built-in peer-to-peer network."

Businesses can effectively defend their networks from the worm through strong passwords, patches and anti-virus software, he said.

The “Microsoft Security Intelligence Report” is a biannual study of the threat landscape. The data comes from millions of systems around the world and sources such as Hotmail, Bing, and Microsoft Security Essentials.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.