By: Michael Sutton

Why Is Conficker/Downadup Succeeding?

Analysis

It has been a while since we've seen a fast spreading worm affect a significant volume of victims. This past week however a new variant of Conficker (aka Downadup) reportedly infected millions of Windows machines. So called 'big bang' worms have largely faded from the headlines not so much for technical reasons but rather for both procedural and motivational reasons. On the procedural front, we've shortened patch cycles and locked down external access to/from networks. From a motivational standpoint, attackers have decided that 'big bang' worms don't meet their needs. Attackers have real financial motivations and drawing media attention to their efforts is not generally conducive to increasing revenue. Attacks have tended to be increasingly stealthy in nature. Why then has Conficker suddenly been so successful? Not surprisingly, the answer relates to weaknesses in enterprise defenses and ingenuity on the part of the attackers.

Enterprise Defenses

Patch Management - It would appear that patch cycles aren't so foolproof after all or at least there are still adequate numbers of end users that are not patching machines in a timely fashion. Conficker uses a vulnerability (MS08-067) that was patched nearly three months ago as its primary attack vector. Now a significant potion of unpatched machines may represent home as opposed to enterprise users but if you're looking for willing zombies with broadband connections, there's no need to be picky. Some are using the success of Conficker to call for mandatory patching.

Network Shares - Should vulnerability exploitation not succeed, Conficker then looks for network shares with weak passwords. While enterprises have significantly locked down the network perimeter over the years, the LAN itself is typically wide open. End users are freely permitted to open network shares and password strength is not enforced. Companies need to realize that it takes only one infected machine to infect an entire network. When the majority of computers are laptops that leave the corporate fortress regularly, having a single infected machine is almost a given.

Attack Techniques

Multi-faceted - Conficker is a hard working worm. It attempts to exploit machines vulnerable to MS08-067, spread via network shares and even connected removable storage devices. While leveraging multiple attack vectors is not a new technique for malware writers, Conficker's authors were wise to choose paths covering a lot of ground. Rather than just hammering away at a list of known vulnerabilities which are likely all exposed or all patched, Conficker instead tries exploitation, brute force and piggybacking.

Dynamic Domain Names - Once infected, Conficker attempts to contact other attacker controlled machines in order to retrieve additional code. Rather than simply using a round robin of hard coded domain names or IP addresses, Conficker instead has the ability to contact thousands of potential domain names. Those controlling Conficker can use only specific names and ignore others. Taking down all of the domain names would be time consuming and in most cases a waste of time as they may never be used.

Is Conficker an anomaly or a sign of things to come. While I don't expect to see a resurgence of 'big bang' worms, I do expect malcode authors to learn from the successes of Conficker. In the meantime, grab the latest copy of the Microsoft Malicious Software Removal Tool to ensure that you're not infected.

- michael

Learn more about Zscaler.