After 12 Years, Malware’s puzzling Nuisance Worm Conficker Refuses To Die

What ranks as history’s most successful malware? Depending on who you ask, the names that come up are usually destructive spectaculars such as NotPetya and WannaCry from 2017 or perhaps the panic-inducing SQL Slammer work from 14 years earlier.

It all depends what you mean by successful, of course, but my choice would be Conficker (aka downadup), a sophisticated 2008 Windows worm that threatened mayhem before disappearing not long after before anyone could fathom its true purpose.

After an initial surge where it co-opted from 10 to 15 million PCs, experts have tracked its slow declining path to an obscurity it still looks some way off reaching.

That’s the thing about Conficker. Quickly abandoned by its unknown makers, it has stuck around. It’s not unusual for old malware for to linger but the scale of Conficker’s initial success allied to its wormlike design have sealed what is turning into a remarkable longevity.

Five years later, Trend Micro reckoned it was still detected it almost two million times, among the top malware infections that year by volume. It quickly dropped to hundreds of thousands of PCs, but in 2017 it was still popping up on the detection radar 20,0000 times a month.

And there, it seems, it has stayed with anti-malware company BitDefender telling me it still registers up to 150,000 Conficker detections per month, predominantly in Brazil, India, Thailand, and the Philippines.

Whether this is a small number depends on your perspective. Being a worm, Conficker spreads robotically from one vulnerable Windows computer to another, via USB or network shares, until there are no vulnerable systems left to target.

Even when a system isn’t vulnerable to Conficker, it can hypothetically still cause trouble by attempting to brute force admin passwords, locking staff out of an account after breaching failed login attempts.

Although Conficker was unleashed in the time of Windows XP and Server 2008, true to its zombie status it has even been detected by AV trying to target later versions. “I’ve seen Windows 10 machines too,” comments BitDefender senior cybersecurity analyst, Adrian Liviu Arsene, noting its nuisance value. But it’s the population of old machines that is keeping Conficker alive, he says, even if most anti-virus companies now lump Conficker under the generic heading.

The prolonged tail

Another way to think about old malware is to look for machines that have yet to be patched against the software vulnerabilities many of these programs attempted to exploit. While that doesn’t tell you much about malware such as Conficker directly, it offers a clue to their long lives.

Stats shared by vulnerability management company Edgescan show that the flaw Conficker targeted, CVE-2008-4250, registers only a trickle of detections among its specialised customer base.

That’s to be expected – as users of a vulnerability management product, Edgescan’s customers are the sorts of organizations that understand the importance of closing 12-year-old vulnerabilities.

But the existence of old, unpatched vulnerabilities the company uncovered was still surprising, including a dozen detections of flaws connected to the Nimda worm from 1999, and 2010’s Stuxnet.  

“I can’t see this being any other way for the foreseeable future until there is some big shift in how people manage their vulnerabilities. It’s like an information technology hangover,” says Edgescan COO and cofounder, Rahim Jina.

“If managing vulnerabilities was easy, you wouldn’t have such a widespread problem with this.” For much older equipment in manufacturing, retail, and the medical world, “If you patch one thing, then the whole product might not work.”

Some of Edgescan’s customers are still using XP for specific applications such as ATM machines and when they upgrade it’s often to Windows 7, he confirms.

It’s something that explains why years after it promised but failed to create mayhem, Conficker continues to flicker like an unreliable lightbulb nobody can reach to change. This wouldn’t matter but Conficker is jumping around from machine to machine on systems that are still obviously being used by someone to do something.

A lot of this equipment is not only old but abandoned by its makers to sink or swim. It’s always the job of the owner to turn it off, not the vendor that made it. Despite the occasional rumor, the harm this might be causing remains out of sight.

Collectively, this is the prolonged tail of old and unpatched or unpatchable equipment that soldiers on in a way that keeps old concept malware such as Conficker on life support.

How long will this last? After 12 years, it’s likely that Conficker will be with us for at least the same again. This was unimaginable when it struck in 2008 but we now know this is how the generation of malware it was born into works. If you find the potent weakness, it’s likely that weakness reveals something about the fragility of modern software.

“As long as there is a single machine infected, it will attempt to target other Windows machines,” says BitDefender’s Liviu Arsene.