A year ago, a variant of the high-profile Conficker worm was all set to stir, programmed to begin receiving update instructions on April 1, with potential consequences being anybody’s guess.
Those fears were unfounded as the worm’s worst impact appeared to be that it installed malware that displays fake antivirus warnings.
The time bomb failed to blow up, and the buzz died down. But a year later several variants of the worm are still around and growing, albeit slowly–causing problems for unsuspecting Windows users.
Conficker caused major headaches for CNET TV associate producer Jason Howell a few weeks ago at the SXSW Interactive show as he tried to edit and publish the Buzz Out Loud podcast.
Howell said that Conficker must have been hiding on a TriCaster video production device, which was running Windows, that Howell was using at the conference on loan from the manufacturer, NewTek. He inserted a USB thumb drive into the device and saw a window pop up for a split second before disappearing. “I thought that was weird,” he said in an interview on Tuesday.
Then he put the thumb drive into his work laptop and got a warning from the antivirus software on the machine that Conficker was installed on the thumb drive. He had the software delete the malware from the USB before it could infect his laptop.
To confirm his suspicions, Howell re-inserted the thumb drive into the TriCaster device and back into the laptop several times and got the warning each time. The problem did not stop there. When he tried working on the TriCaster machine the system began crashing, he said.
“The only way to get Conficker off was to re-install the partition from the disk image,” Howell said. “I had to wipe out the proprietary software and start from scratch.”
Three hours later or so, he was finally able to get the Buzz Out Loud program up on the CNET Web site.
“NewTek cautions people not to install Windows software on the devices because it interferes with the hardware,” which is likely what Conficker was doing, he said.
Howell was able to protect his systems, but many other people get infected and don’t realize it. And it’s popping up in some unexpected places. For instance, Spanish-based Panda Security found Conficker, along with malware related to the Mariposa account data stealing botnet and a Lineage password-stealing Trojan, on a brand new Android-based Vodafone HTC Magic smart phone in early March.
The ABCs (and E, too) of Conficker
The version of the worm with the April 1, 2009, trigger date, Conficker.C, is dying off, dropping from a high of nearly 1.5 million infections at the time to fewer than 220,000 now, according to Symantec estimates.
However, two earlier versions–Conficker.A and Conficker.B–are on an estimated 6.5 million computers, Symantec said.
Conficker.A, also known as Downadup, exploits a vulnerability in Windows that Microsoft patched in October 2008. Conficker.B added the ability to spread through network shares and via removable storage devices like USB drives, through the AutoRun function in Windows. Conficker.C blocks the computer from security services and Web sites, downloads a Trojan and reaches out to other infected computers via peer-to-peer networking.
A subsequent variant, dubbed Conficker.E, was released on April 8, 2009, but deleted itself from infected systems on or after May 3, 2009, according to Symantec.
To stay Conficker-free, computer users should keep their antivirus software up-to-date–a move that saved CNET’s Howell–and install the latest security patches for Windows and other software.
Right now, the worm isn’t really doing much more than spreading to new machines and lurking. It’s a waiting game for law enforcement. Computer owners may not realize they have the worm on their machines, but security researchers know it’s out there and are monitoring the Internet for signs of it coming to life, said Vincent Weafer, vice president of Symantec Security Response.
The infections are primarily on computers in emerging markets, like Asia and Latin America “where there is a higher degree of software piracy,” he said in an interview on Tuesday. Pirated software can’t be updated, so computers running counterfeit copies of Windows will remain unpatched, he said.
“Effectively, nothing has happened to these (infected) machines,” Weafer said. “But that doesn’t mean it won’t happen…it’s still a significant botnet (network of infected bots) sitting out there.”
Most botnets are used to send spam and they are more effective if they operate under the radar so they can’t be shut down. Conficker made a huge splash in the news, and it’s likely that its creators have abandoned it and that it will eventually fade away, Weafer predicted.
“This is such a high-profile botnet that it makes it very toxic to use,” he said.