The Conficker Worm
Conficker was so successful because it targeted a specific weakness in the design of the Windows XP operating system, which at the time was the most popular OS in the world. This weakness was a design flaw in one of Windows XP’s network services, CVE-2008-4250. A network service is essentially an application that runs in the background of your computer and controls communication with other machines on your network. The weakness of CVE-2008-4250 was that it allowed for remote execution of arbitrary code. Conficker also combined the use of multiple advanced malware techniques, which allowed it to defend itself, to propagate, and to evolve.
In 2009, Microsoft Corporation formed an industry collaboration to combat Conficker and posted a $250,000 reward for any information leading to the arrest of its creators or distributors. Still, Conficker’s authors remain unknown and undetected, and the worm still circulates around some of the darker corners of the web.
From the perspective of an antivirus professional, Conficker is the brainchild of some mad though ingenious scientist, hell-bent on destroying, or at the very least disabling, the world. From the perspective of your everyday computer user, Conficker is the digital equivalent of catching a really bad cold.
In either case, it’s quite fascinating to take a look at what made the Conficker worm work and why it still remains a threat today.
How Conficker spread
Conficker was successful because it leveraged a specific vulnerability in the most popular operating system in the world. It also had somewhat of a redundant design. In security systems, redundancy is the degree to which the system is fail safe. A redundant system has multiple layers of protection put in place, so that if one layer fails another can pick up the slack.
Whether they are made for computers or physical buildings, redundant security systems are very effective. In a way, Conficker turned redundancy on its head, taking a multilayered approach to infecting computers. Not surprisingly, it worked like a charm.
Multiple attack vectors
Conficker was designed to be able to spread across numerous vectors, including:
- 1) Computers that lacked updates
- 2) Computers with File Sharing enabled
- 3) Computers with weak passwords
- 4) Removable Flash Drives
Vectors 1) and 2) can be attributed to the design flaw in network service CVE-2008-4250. Vectors 3) and 4), however, were made possible by additional layers in Conficker’s design.
Weak passwords hacked with dictionary attack
Conficker demonstrates why it is so important for every computer user to utilize strong, unique passwords. If Conficker came across a computer that was both fully updated and had file sharing disabled, it would then automatically run a dictionary attack to try and bypass that computer’s password protection. A dictionary attack is essentially a guess and check approach to hacking, that attempts to enter your network by entering weak, commonplace passwords.
Conficker was loaded with numerous passwords. Some examples include: password123, admin, coffee, 1234abcd, and unknown. A full list of passwords can be viewed here. As you can see, Conficker’s dictionary attack was surprisingly comprehensive, and because many people don’t take the time to create quality passwords it was also very effective — a fact that still holds true today.
Removable flash drive AutoRun
Conficker was designed to be spread, and part of that design included removable drive infection. If Conficker worked its way onto a computer, it also made efforts to work its way onto any removable drive that was plugged into that computer. This meant that if that drive were plugged into another computer, Conficker would be spread.
Conficker utilized a very crafty AutoRun feature, designed to fool users into installation. If you’ve ever plugged a flash drive into your computer, you may be familiar with AutoRun. AutoRun is that little window that pops up and asks you what you would like to do with your removable media.
Drives that contained Conficker utilized this pop up window by including an ambiguous option under AutoRun’s Install or a run a program heading. This option was a nonthreatening Folder icon, accompanied by text that would read something like: Open folder to view files. In reality, however, opening this folder would enact Conficker installation.
What Conficker worm did
Once Conficker was installed onto a computer, it would go through a series of steps, designed to propagate the virus and to establish an impenetrable wall of self-defense.
Change registry settings
In addition to installing itself on a hidden folder, Conficker would change your registry settings so that you had no way of viewing hidden folders. For the average PC user, this was more than enough complexity to allow Conficker to operate undetected.
Disable updates and services
Windows computers have a number of built-in security measures, including an auto-updater, an antivirus program, and a firewall. The Conficker worm was built to disable all of these, so that it could then operate unimpeded.
Once those services were disable, Conficker would then begin to download arbitrary files from a pre-defined set of websites. The end goal of this procedure was essentially to fill your computer with trash and thereby incapacitate it.
Website blocking
Once Conficker began to download files, all but the most naive of computer users would begin to notice that something was wrong. At this point, most people would then attempt to solve the problem by going online and trying to download antivirus software.
Probably the most impressive thing about Conficker was that it prevented people from doing this. Conficker was programmed to block web searches that contained phrases related to antivirus software. Among these phrases were the names of the most popular antivirus programs on the market, including Emsisoft!
Conficker today
As time went on, Conficker was released in 5 different variants. Each variant utilized some combination of the tools summarized above, and older variants were programmed to update themselves to newer ones after they run.
Though Windows released a patch (MS08-067) for the CVE-2008-4250 network service vulnerability as early as October of 2008, Conficker continues to remain a threat to computer users across the world. There are many reasons why Conficker is still potent. While the MS08-067 patch does make Windows computers more secure, and while most updated computers should be immune, there are still a few human factors that allow Conficker to propagate.
Conficker can still get into computers that utilize weak passwords. Actually, any human with the inclination can get into a computer with a weak password. It’s for this reason that we can recommend no simpler and no more effective antivirus measure than changing your password to something nonsensical and complex.
In addition, Conficker worm still fools people with its AutoRun feature. This means that Conficker is still highly contagious in localized communities where coworkers and friends share flash drives – and the sheer number of computers in the world right now that are still operating on Windows XP gives Conficker ample room to flourish and grow.
Conficker was and still is successful because it utilizes a multipronged, redundant approach that is actually predictive of human behavior. Whoever designed it clearly knew a thing or two about how to program a computer, but they also were well aware of how average computer users think. It is this final aspect that may truly be what separates “successful” viruses from run-of-the-mill rogues and worms. Malware is just as much human deception as it is fooling a machine, and anyone who wants to remain Malware-Free would do well to remember this.
Hackers create viruses because they want to mess with people. Computers are just the vector, and with a just little (computer) information you can stay ahead of the threat and remain in control.
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free TrialHave a Great (Malware-Free) Day!