Downadup/Conficker and April Fool’s Day: One Year Later
As we approach April Fool’s Day 2010, we recognize the one-year anniversary of the Downadup/Conficker threat’s April 1, 2009, “trigger” date. A year ago, the security industry monitored Downadup/Conficker activities to be fortified against the criminal or criminals behind the threat’s next move. Fortunately, Conficker did not turn into a widespread threat or cause the significant damage it had the potential to cause.
Earlier in 2009, the Downadup/Conficker threat roamed the “streets” of the Internet looking for “unlocked doors” (unpatched systems) and computers not protected by “alarm systems” (security software). These computers, which numbered in the millions, were prime targets for the threat, which took advantage of a security vulnerability in the Windows operating system, which Microsoft had actually patched a month before the spread of Downadup/Conficker ever began. Once on a machine, the threat basically allowed the criminal(s) behind it to create for themselves secret admittance onto the infected computer, not unlike having a secret copy of a “key” to the front door, thus also giving the criminal(s) easy access to everything on the “owned” machines.
Today, one year later, we know that the criminal(s) behind Downadup/Conficker still have the keys to some 6.5 million of these computers, which have not been fixed by their owners, leaving them open to be victimized at any time by cybercriminals. We’re still seeing the .A and .B variants of the worm continue to spread, albeit at a much reduced rate.
However, while these infected computers remain wide open to further attack, they are monitored very closely by law enforcement and by members of the Conficker Working Group. Should the criminal(s) attempt to use them, the alarm will sound. So, while these computers are still vulnerable, for criminals, too much attention is often a turn off and will likely prevent them from further playing out their original criminal plans.
Here’s what we know today:
• Approximately 6.5 million systems are still infected with either the .A or .B variants.
• The .C variant, which used a peer-to-peer method of propagating, has been slowly dying out over the past year. From a high of nearly 1.5 million infections in April of 2009, the infection rate has steadily decreased to between 210,000 to 220,000 infections. This indicates some computer users are fixing the issue and getting rid of the infection.
• Symantec also observed another variant, .E, released on April 8, 2009, but this variant deleted itself from infected systems on or after May 3, 2009.
• Thus far, the machines still infected with Downadup/Conficker have not been utilized for any significant criminal activity, but with an army of nearly 6.5 million computers strong, the threat remains a viable one.
Downadup/Conficker served as a great reminder to consumers and businesses alike of what the security industry has been shouting from the rooftops for years:
• Keep security patches up to date. This includes not only patches for the operating system, but for all applications and plug-ins as well. Remember, Downadup/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied. With the IT complexities found in all of today’s enterprises, Symantec encourages companies to implement a patch management solution to ensure all security fixes are implemented in a timely manner.
• Use a robust security software suite that has multiple layers of protection. Furthermore, make sure your security software is always on and up to date. Even patched systems are continuing to become infected. In with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. In nearly all cases, up-to-date security software will detect the threat before it has the chance to jump from the removable device to the computer.
• If you happen to be unfortunate enough to already be or to become infected with Downadup/Conficker, please use a reputable removal tool, such as this one from Symantec, to remove the infection from your system. Remember, often times, if you’re not part of the solution, you’re part of the problem.
So, are we out of the woods in terms of Downadup/Conficker? Probably not. It may not be the biggest known botnet—for example, the Mariposa botnet reportedly infected more than 11 million computers during its lifetime—but it’s also nothing to sneeze at. As another point of reference, the well-known Rustock botnet, which sends out 32.8 percent of all spam, is estimated to sit on somewhere between 1.6 and 2.4 million machines. So remember, these 6.5 million computers infected with Downadup/Conficker are still much like a loaded gun, waiting to be fired.
Protections are in place to monitor the botnet’s activity and following the best practices above will go a long way in preventing further infections, but the reality is that until the current infections are completely eradicated, which likely will require a larger, radical action by ISPs, Downadup/Conficker is still a threat.
Symantec has put together the following video highlighting the evolution of Downadup/Conficker to help give computer users background on the threat and information about where it is today: