Down but not out: Conficker camouflages new Windows infections
Crippled botnet still dangerous, makes PCs vulnerable to follow-up malware attacks
Computerworld - Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
That's the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cybersecurity adviser to the White House.
Virginia-based Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been "sinkholing" the Conficker botnet for more than two years.
"We're pretty sure that [other malware] is using Conficker for cover," Joffe said in an interview Friday. "When we find a machine [harboring Conficker], we usually find that it's been infected by other methods as well."
Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft's Windows Defender and Security Essentials, and switches off Windows' Automatic Updates, the service used by virtually all Windows users keep their PCs patched. It also blocks access to security product websites -- preventing signature updates for antivirus software -- and to the Windows Update website.
Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.
Joffe confirmed that the CWG continues to register command-and-control (C&C) domains before the hackers do, meaning that instructions issued to the botnet disappear down a metaphoric "sinkhole" and don't reach the compromised computers.
But Joffe said the CWG wasn't sure that all the C&C domains were still under the group's control.
"They have had the ability to take control of parts of the botnet [for some time]," Joffe said, "but they don't seem to be interested in it any longer."
That may be because Conficker's authors have regained control of some of the bots by infecting them with other software. Or if they haven't, other hackers may have done the same.
In either case, it's important to scrub Conficker from Windows PCs, Joffe said. "Even if Conficker fades away, these machines are vulnerable," he said.
Users who suspect Conficker infections can use the CWG's tool to confirm that the malware is or is not on their machines. Numerous companies, including McAfee, Microsoft, Symantec and Trend Micro, also offer free Conficker cleaning utilities. The CWG's website lists download links to these tools.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts