Down But Not Out: Conficker Camouflages New Windows Infections
Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
Mon, April 30, 2012
Computerworld — Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.
That's the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cybersecurity adviser to the White House.
Virginia-based Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been "sinkholing" the Conficker botnet for more than two years.
"We're pretty sure that [other malware] is using Conficker for cover," Joffe said in an interview Friday. "When we find a machine [harboring Conficker], we usually find that it's been infected by other methods as well."
Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft's Windows Defender and Security Essentials, and switches off Windows' Automatic Updates, the service used by virtually all Windows users keep their PCs patched. It also blocks access to security product websites -- preventing signature updates for antivirus software -- and to the Windows Update website.
Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.
Joffe confirmed that the CWG continues to register command-and-control (C&C) domains before the hackers do, meaning that instructions issued to the botnet disappear down a metaphoric "sinkhole" and don't reach the compromised computers.
But Joffe said the CWG wasn't sure that all the C&C domains were still under the group's control.
"They have had the ability to take control of parts of the botnet [for some time]," Joffe said, "but they don't seem to be interested in it any longer."
That may be because Conficker's authors have regained control of some of the bots by infecting them with other software. Or if they haven't, other hackers may have done the same.
In either case, it's important to scrub Conficker from Windows PCs, Joffe said. "Even if Conficker fades away, these machines are vulnerable," he said.