'Obstinate' Conficker worm infests millions of PCs years later

Suppressed botnet has 7M Windows machines in its grip three years after it first appeared

1 2 Page 2
Page 2 of 2

That's a frustrating job, said Jose Nazario, the manager of security research at Arbor Networks, a member of the Conficker Working Group (CWG).

"CWG is still active, still sinkholing, still alerting people." said Nazario in an email reply to questions. "We have no plans at present to [end] the sinkhole effort, although with each passing year the question comes up, and it gets harder to keep asking people to keep names pointed at the sinkholes."

Conficker remains active because of the multitude of ways it spreads from one infected PC to another.

"Conficker can travel on its own without the need of C&C servers," noted Andrew Storms, director of operations at nCircle Security. "So it's a bit like a headless hydra, making its way aimlessly."

The most common vector, said Rains, is guessing the administrative password of an infected computer using a hard-coded list of simplistic passwords, such as "12345," "coffee" and "mypassword."

"This list is still being very successful," said Rains, who went on to cite Microsoft-collected data that showed that between 54% and 89% of all Conficker actual or attempted infections were conducted by abusing weak or stolen passwords.

"The call to action is pretty clear," Rains continued. "People inside organizations have to implement strong passwords."

In the 12th edition of its twice-yearly Security Intelligence Report, released yesterday, Microsoft offered companies ways to detect Conficker and clean their networks of the worm.

It also urged all Windows users to ensure they have applied the pertinent patch -- MS08-067 -- and for Windows XP and Vista machines, the March update that disables AutoRun.

The 126-page Security Intelligence Report can be found on Microsoft's website (download PDF).

More information about Conficker is also available on the Conficker Working Group website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon