Millions Hit with Windows Worm as Infection Spreads

A new variant of a worm that exploits a vulnerability patched by Microsoft in October has infected millions of users, security researchers say. According to experts, the Conficker worm is using multiple mechanisms to spread.

It seems you just can’t keep a good worm down.

Nearly two months after Microsoft first warned of the Conficker worm targeting a vulnerability in its Server service, the number of infected computers is growing rapidly. While there is some dispute about the number of infections—F-Secure puts it at approximately 9 million, though others dispute that—the general consensus from companies such as Symantec and Kaspersky Lab is that the number of infections is in the millions.

At the moment, security researchers can only speculate as to what the intentions of the authors of the worm are. Some security researchers have suggested there may be plans in the works to use the infected computers as a massive botnet.

“[We] haven’t seen it download anything yet,” noted Joe Stewart, director of malware research at SecureWorks. “Technically it already is a botnet, but it just is lacking a viable C&C [command and control] server at the moment. That could change at any time.”

The worm is also referred to by security vendors as Downadup and Kido. Besides targeting the Microsoft flaw, which was patched in October, the latest variant is also spreading through removable media as well as by copying itself to network shares by guessing weak passwords.

These days, network worms need different mechanisms to make their way onto a corporate network, explained Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab.

“Given the way that the majority of ISPs and corporations function these days—they block quite a number of network ports—it’s very hard for a network worm to get in from the outside,” Schouwenberg said. “During 2008 we’ve seen a huge uprise in the amount of malware that was replicated via Windows’ AutoRun functionality—USB devices—and they are successful in getting onto networks from the inside. So what I think is likely happening is that infected USB sticks are being brought into corporate networks, infecting one workstation, [from] which in turn [the malware] starts to spread across the LAN.”

Still, data from application scanning vendor Qualys indicates that many people have yet to apply the patch released by Microsoft. Qualys CTO Wolfgang Kandek said more than 50 percent of machines were patched after about 30 days. The rate of patching diminished after that, however, apparently leaving millions of machines vulnerable.

“Unfortunately this leaves enough machines to be exploited by the Conficker worm types even today, over 45 days later,” Kandek said. “We would have liked to see a faster reaction by the computer users given the significance of the patch, but there still seems to be a barrier to reach[ing] everybody and mak[ing] them understand the urgency of patching.”

For its part, Microsoft updated its Malicious Software Removal Tool in January to help users clean the latest variant of the worm from their systems.

“The current damage is the mess it causes to networks it infects in terms of cleaning it up from all the computers and USB or network drives, without having it reinfect the computers that have already been cleaned,” Stewart said. “Once it starts dropping payloads, we’ll have a better idea of what it’s designed to really do. I’m putting my money on it installing rogue AV.”