Down but not out: Conficker camouflages new Windows infections
Crippled botnet still dangerous, makes PCs vulnerable to follow-up malware attacks
Computerworld - Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
That's the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cybersecurity adviser to the White House.
Virginia-based Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been "sinkholing" the Conficker botnet for more than two years.
"We're pretty sure that [other malware] is using Conficker for cover," Joffe said in an interview Friday. "When we find a machine [harboring Conficker], we usually find that it's been infected by other methods as well."
Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft's Windows Defender and Security Essentials, and switches off Windows' Automatic Updates, the service used by virtually all Windows users keep their PCs patched. It also blocks access to security product websites -- preventing signature updates for antivirus software -- and to the Windows Update website.
Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.
Joffe confirmed that the CWG continues to register command-and-control (C&C) domains before the hackers do, meaning that instructions issued to the botnet disappear down a metaphoric "sinkhole" and don't reach the compromised computers.
But Joffe said the CWG wasn't sure that all the C&C domains were still under the group's control.
"They have had the ability to take control of parts of the botnet [for some time]," Joffe said, "but they don't seem to be interested in it any longer."
That may be because Conficker's authors have regained control of some of the bots by infecting them with other software. Or if they haven't, other hackers may have done the same.
In either case, it's important to scrub Conficker from Windows PCs, Joffe said. "Even if Conficker fades away, these machines are vulnerable," he said.
Users who suspect Conficker infections can use the CWG's tool to confirm that the malware is or is not on their machines. Numerous companies, including McAfee, Microsoft, Symantec and Trend Micro, also offer free Conficker cleaning utilities. The CWG's website lists download links to these tools.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts