Thursday marks the first anniversary of the much hyped Conficker trigger date. Little of note happened on 1 April 2009 and machines infected by Conficker (aka Downadup) remain largely dormant, but an estimated 6.5 million Windows PCs remain infected with the threat.
These machines are "wide open to further attacks", net security firm Symantec warns.
The rascals behind the worm remain unknown and the purpose of the malware unclear. Some in the anti-virus industry, such as Raimund Genes, CTO of Trend Micro, reckon the malware was designed to distribute scareware (fake anti-virus scanners designed to nag victims into buying software of little or no utility, often on the basis of false warnings of Trojan infection).
Machines infected with the C variant of Conficker subsequently became infected with Spyware Protect 2009 (a scareware package) and the Waledac botnet client, a factor that supports this theory. Infected machines are closely monitored by law enforcement and by members of the Conficker Working Group, a factor that goes a long way towards explaining why crooks have not used the huge botnet under their control to send spam, launch a denial of service attack or any other form of high visibility attack.
The first version of Conficker began spreading in November 2008, initially using a recently patched Microsoft Windows vulnerability to infect systems. Later its capability of jumping from infected USB sticks onto PCs or via weakly secured network shares became more important. Early victims included the Houses of Parliament, the Ministry of Defence and Manchester City Council.
More recently Greater Manchester Police, which was forced to unplug itself from the Police National Computer for five days in February in order to carry out a clean-up operation, and several hospitals in the UK were laid low by Conficker. Orla Cox, security operations manager at Symantec Security Response, said that “Conficker may not be the biggest known botnet on the block, but it still has the potential to do serious harm”.
Approximately 6.5 million systems are still infected with either the A or B variants of Conficker. The C variant, which used a P2P method of spreading, has been slowly dying out over the past year as victims clean up their systems.
Around 210,000 machines are reckoned to be infected with this variant, down from an April 2009 peak of 1.5 million victims. Another variant, Conficker-E, emerged on last April but was programmed to delete from infected systems a month later and has all but disappeared.
Symantec has published a video charting the evolution of Conficker. The clip also runs through a list of suggested countermeasures, such as keeping systems fully patched and running up to date anti-virus (natch). ®