Conficker Covers Other Infections

Tuesday, May 1, 2012 @ 07:05 PM gHale

Windows PCs infected with Conficker are more likely to suffer compromise by other malware because the worm masks secondary infections and makes those machines easier to exploit, a security expert said.

That’s the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cyber security advisor to the White House.

Conficker Still Going Strong
New Botnet Goes to Market
Malware has Bots Acting as C&C Server
Stealth Trojan Hijacks DLL File

Virginia-based Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been “sinkholing” the Conficker botnet for more than two years.

“We’re pretty sure that [other malware] is using Conficker for cover,” Joffe said. “When we find a machine [harboring Conficker], we usually find that it’s been infected by other methods as well.”

Last week, Microsoft said that Conficker infected, or tried to infect, 1.7 million Windows PCs this past fourth quarter. Microsoft called on users to strengthen passwords to stymie the malware.

Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft’s Windows Defender and Security Essentials, and switches off Windows’ Automatic Updates, the service used by virtually all Windows users to keep their PCs patched. It also blocks access to security product websites — preventing signature updates for antivirus software — and to the Windows Update website.

Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates ends up disabled, the machine will not receive any security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.

Joffe said the CWG continues to register command-and-control (C&C) domains before the hackers do, meaning that instructions issued to the botnet disappear down a metaphoric “sinkhole” and don’t reach the compromised computers.

Joffe did say, however, the CWG wasn’t sure all the C&C domains were still under the group’s control.

“They have had the ability to take control of parts of the botnet [for some time],” Joffe said, “but they don’t seem to be interested in it any longer.”

That may be because Conficker’s authors regained control of some of the bots by infecting them with other software. Or if they haven’t, other hackers may have done the same.

In either case, it’s important to scrub Conficker from Windows PCs, Joffe said. “Even if Conficker fades away, these machines are vulnerable.”

Leave a Reply

You must be logged in to post a comment.