It was deemed one of the scariest malware to hit the past decade, and yet when the world expected it to unleash its full wrath, nothing happened. The Conficker worm is a tale of irony, one with an initial mood of doom and gloom that turned out to be unsubstantiated hype. Even so, the worm still managed to infect millions of computers. The complexity of its code and its adeptness at propagation intrigued security experts.
What Does the Conficker Worm Do?
When activated, Conficker replicates itself to system folders as a DLL file with a random name. It then modifies the Windows registry such that the svchost.exe, a legitimate Windows service, will launch the malicious DLL at system boot.
The worm, which is also known as Downadup and Kido, have five variants with different defense mechanisms against security tools and user intervention. These mechanisms include blocking DNS lookups, disabling Safe Mode, deleting System Restore points and forcing installed security software to terminate. One known variant, Conficker.E, may download and install other malware, such as the Waledac spambot and SpyProtect 2009 scareware.
Conficker is programmed to contact its creators over the Internet via a number of pseudorandom URLs, which change on a daily basis in order to conceal its activity from cybersecurity professionals. It’s up to the worm’s creators to register one of the URLs and leave instructions and updates there for the worm to follow and download. If installed, these updates would help the worm circumvent new security enhancements that are meant to stop it.
How Does the Conficker Worm Spread?
The worm may spread by taking advantage of a vulnerability in the Microsoft Server service that allows remote code execution. Computers and servers without the security patch MS08-067 are susceptible to attacks.
If an infected computer is part of a local network, Conficker can perform brute-force attacks on other connected computers or hosts to obtain administrator passwords, gain unauthorized access and make copies of itself in system folders of those computers.
Another way the Conficker propagates is through USB drives and other removable media. The worm modifies a file in the removable drive that adds another option to the AutoPlay dialog box. Choosing this option or trigger executes the worm, further spreading the infection.
Where Did the Conficker Worm Come From?
The first variant of Conficker appeared in November 2008, and four more variants followed within five months. Security professionals expected the worm to cause significant damage on April 1, 2009, the date believed to be when the creators of the worm would send instructions to the infected computers and wreak havoc.
Luckily, nothing significant happened that day, even though the worm had the destructive potential to, say, destroy files, steal information and launch distributed denial-of-service (DDoS) attacks. The attention that the worm obtained from the media and IT security companies was said to be one reason why the worm’s creators didn’t finish whatever they wanted to accomplish—it blew their cover. Given that one Conficker variant installed additional malware, the end goal seemed to be monetary gain by selling fake security software and creating a botnet to distribute spam.
Nevertheless, the worm did make an impact. At its peak, Conficker infected more or less 15 million computers by spreading via network shares and USB drives. Major systems and networks, including networks used by armed forces, hospitals, and government departments, were forced to halt their operations and spend millions of dollars to remove the infection. The worm’s estimated economic cost could be as high as $9.1 billion, according to the Cyber Secure Institute.
All of these wouldn’t have happened had home users and IT professionals immediately applied the MS08-067 patch to the computers in their networks. Microsoft issued the patch almost a full month before Conficker began to spread.
To this day, no one knows who created Conficker. A variant of the worm, however, was designed not to infect computers with Ukrainian keyboard layout or IP address, leading some to suggest that the worm came from Ukraine. A $250,000 bounty was placed by Microsoft as incentive to help catch the perpetrators. So far, the bounty remains unclaimed.
How Prevalent Is the Conficker Worm Today?
Microsoft and many industry groups have made efforts to stop Conficker’s propagation, but the worm still remains one of the most prolific threats today. It accounts for between 10 and 20 percent of recent detections, with somewhere from 500,000 to 1 million computers still infected with the malware. One major reason for the worm’s continued widespread occurrence is that consumers and businesses neglect to roll out security patches to their systems.
The infection isn’t isolated to personal computers. In November 2015, security firm iPower discovered that police body cameras by Martel Electronics were preloaded with Conflicker.
How Can You Protect Yourself From the Conficker Worm?
Conficker, as of this writing, is nearly eight years old, and almost every antivirus available today can detect and quarantine the worm before it spreads. Installing an antivirus with a capable real-time scanning and detection is recommended to protect your computer from Conficker and other malware threats.
Windows 7 (post-beta) and later versions of Microsoft’s operating system have hardcoded security enhancements that make them immune to Conficker, but users are nevertheless urged to get the latest security patches on a regular basis. Users of Windows Vista, XP and earlier versions must download and apply the appropriate updates specified by the MS08-067 security bulletin. They should also change the behavior of the AutoRun functionality to prevent the worm’s propagation via removable media.
To prevent brute-force attacks from succeeding, every administrator account in the computer must have a strong, unique password. Follow the best practices for password management.
Does Your Computer Have the Conficker Worm?
The presence of Conficker in a Windows computer may exhibit some signs and symptoms. For one, Automatic Updates, Background Intelligent Transfer Service, Error Reporting Service, Windows Defender and other system services may behave erroneously or stop functioning altogether. Third-party security applications, such as antiviruses and firewalls, may also deactivate.
Users may not be able to access some websites, because Conficker actively blocks URLs that contain “avast,” “malware,” “microsoft,” “spyware” and other keywords related to computer security. Users may also notice network congestions and slowdowns due to the worm’s efforts to spread its payload. Users whose computers have account lockout policies enabled may be locked out of their accounts as Conficker does its brute-force attacks.
How Do You Remove Conficker?
Microsoft freely offers the Safety Scanner for download. It’s an on-demand malware scanner that automatically cleans a Conficker-infected computer. The company’s Malicious Software Removal Tool, along with the following solutions by several security vendors, can also eradicate the worm:
- Conficker Removal tool by Sophos
- McAfee Stinger
- AVG Conficker Removal Tool
- Norton Power Eraser
- Kaskersky special utility
As mentioned above, the worm may stop you from accessing these download links. You may need to use another computer, one that is free of infection, to get the removal tools. Copy the tools to a USB drive (or even better, burn to an optical disc), transfer the drive to the infected computer, and run the tool from there.
Note that these applications are designed for cleaning systems that have been already infected by malware. To prevent threats in the future, download and install a good antivirus with real-time protection.