Conficker still a threat, says Working Group

Conficker typically disables the automatic updates for the Microsoft Windows operating system and turns of traditional anti-virus, but few business organizations are aware of this", Rodney Joffe, director of the Conficker Working Group, told Computer Weekly.

Criminals can identify all IP addresses infected by the Conficker worm and the date infection occurred, he said.

From this information, they will know the vulnerabilities of these IP addresses. They are likely to be vulnerable because they have not received Microsoft security updates from the date of infection and have probably had all AV systems disabled, said Rodney Joffe.

Once a potentially vulnerable IP address is known, criminals can use reverse-mapping technology to identify the organization that IP address belongs to. Criminals can then use the IP address as a way of launching attacks on other machines behind the organization's firewall, he said.

Just because there have been no big attacks linked to Conficker since April 2009, it is dangerous to assume that nothing is happening, said Joffe.

It would be stupid for criminals not to use Conficker and it is possible the machines dropping off the Conficker Working Group's regular scans are being sold to others to use as potential targets because most machines infected with Conficker are likely to be susceptible to other attack methods, he said.

The only way organizations can be sure they are not vulnerable is to contact one of the members of the Conficker Working Group to check whether their IP addresses are being picked up in the organization's scans, said Joffe. Organizations can do this free of charge.

Businesses and other organizations can also use standalone disinfection tools and check their firewall logs to see if any of the machines within their network have attempted to make any unauthorized connections to Conficker command-and-control centers, he said.

Only through a concerted effort using this approach has the US Federal network been able to reduce the number of infected machines from thousands to below 50, said Joffe.

This story was first published by Computer Weekly

What’s Hot on Infosecurity Magazine?