Down but Not Out: Conficker Camouflages New Windows Infections

Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks those secondary infections and makes those machines easier to exploit, a security expert said.

That's the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, said Rodney Joffe, senior technologist at Neustar and a cybersecurity adviser to the White House.

Virginia-based Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been "sinkholing" the Conficker botnet for more than two years.

"We're pretty sure that [other malware] is using Conficker for cover," Joffe said in an interview Friday. "When we find a machine [harboring Conficker], we usually find that it's been infected by other methods as well."

Last week, Microsoft said that Conficker infected, or tried to infect, 1.7 million Windows PCs in 2011's fourth quarter. Microsoft called on users to strengthen passwords to stymie the malware.

Conficker provides the cover Joffe talked about because of two defensive tactics designed to keep it alive: The worm disables most antivirus software, including Microsoft's Windows Defender and Security Essentials, and switches off Windows' Automatic Updates, the service used by virtually all Windows users keep their PCs patched. It also blocks access to security product websites -- preventing signature updates for antivirus software -- and to the Windows Update website.

Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. And if Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities.

Joffe confirmed that the CWG continues to register command-and-control (C&C) domains before the hackers do, meaning that instructions issued to the botnet disappear down a metaphoric "sinkhole" and don't reach the compromised computers.

But Joffe said the CWG wasn't sure that all the C&C domains were still under the group's control.

"They have had the ability to take control of parts of the botnet [for some time]," Joffe said, "but they don't seem to be interested in it any longer."

That may be because Conficker's authors have regained control of some of the bots by infecting them with other software. Or if they haven't, other hackers may have done the same.

In either case, it's important to scrub Conficker from Windows PCs, Joffe said. "Even if Conficker fades away, these machines are vulnerable," he said.

Users who suspect Conficker infections can use the CWG's tool to confirm that the malware is or is not on their machines. Numerous companies, including McAfee, Microsoft, Symantec and Trend Micro, also offer free Conficker cleaning utilities. The CWG's website lists download links to these tools.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Subscribe to the Security Watch Newsletter

Comments