Conficker Remains a Threat

Results

Figure shows an analysis of three weeks of telemetry data of active Conficker installations or installation attempts.

Propagation methods used by Win32/Conficker variants in 2H11, by percent of all attempted attacks detected

Worm Variant

Credential-
based attack

Preexisting
infection

Exploit

Autorun abuse attempt

Worm:Win32/Conficker.A

—

58%

42%

—

Worm:Win32/Conficker.B

61%

14%

17%

8%

Worm:Win32/Conficker.C

61%

15%

24%

*

Worm:Win32/Conficker.D

—

100%

—

—

Overall

60%

15%

20%

6%

* Autorun files for variants B and C are identical, and accordingly are all grouped with Conficker.B in this chart.

Most of the analyzed incidents (60 percent) involved credential-based attacks, with the remaining 40 percent including all other known propagation methods. The second-greatest number of incidents in the specified timeframe (20 percent) exploited the CVE-2008-4250 vulnerability on computers that had not yet been updated with Security Bulletin MS08-067, despite the fact that the update had been released more than two years before. The third-greatest number of analyzed incidents (15 percent) involved infections that were present on the computer before the installation of the antimalware product that detected and removed the infection. Finally, only 6 percent of incidents that were observed in the specified timeframe involved abuse of the Autorun feature in Windows. The release of an update that hardened the Autorun feature in Windows XP and Windows Vista may have helped achieve this relatively low percentage.

This attack pattern suggests that improving credential policies and practices is one of the most important steps computer administrators can take to effectively combat the spread of Conficker. Domain administrators can use Active Directory® Domain Services (AD DS) to define and enforce Group Policy Objects (GPOs) that require users to create complex passwords. If local passwords are used for some resources in an organization, resource owners should be required or encouraged to use strong passwords for them as well.

When considered from the perspective of the affected operating system, it becomes clearer that credential-based attacks on file shares are the primary mechanism Conficker uses to compromise computers running recent versions of the Windows operating system, as shown in Figure.

Blocked Conficker infection attempts by operating system

Operating System

Credential-based attack

Exploit

Autorun abuse attempt

Windows 2003

81%

19%

1%

Windows XP

54%

43%

2%

Windows Vista

84%

—

16%

Windows 7

89%

—

11%

Windows 7 was never vulnerable to CVE-2008-4250 exploits, and although Windows Vista was vulnerable, no exploit attempts were observed in the measurement period. Network Inspection System (NIS), a feature of Microsoft Security Essentials and Microsoft Forefront® Threat Management Gateway, blocks exploit attempts on vulnerable computers running Windows Vista and other recent versions of Windows, which prevents the Conficker worm from exploiting the CVE-2008-4250 vulnerability. Windows 7 was also far more difficult to attack through Autorun feature abuse, and although autorun abuse attempts were observed and blocked on 11 percent of Windows 7 systems, they would not have been successful because of the restricted Autorun policy on that platform.

The Conficker worm may or may not have had as great an effect as its creators expected, but it continues to search for new victims. Although installing all relevant security updates and hardening the Autorun feature in Windows can close off several Conficker attack vectors, this analysis of the worm’s attacks shows that using weak passwords for network and local resources can still leave computers at significant risk of infection. To effectively defend against Conficker and similar malware families, responsible computer administrators should develop a multifaceted strategy that includes strong passwords, quick deployment of security updates, and the use of regularly updated, real-time antimalware software.

Blocked Conficker infection attempts on enterprise computers, as detected by Microsoft Forefront Endpoint Protection

Operating System

Credential-based attack

Exploit

Autorun abuse attempt

Windows 2003

91%

9%

—

Windows XP

88%

12%

—

Windows Vista

100%

—

—

Windows 7

100%

—

—

Blocked Conficker infection attempts on consumer computers, as detected by Microsoft Security Essentials

Operating system

Credential-based attack

Exploit

Autorun abuse attempt

Windows 2003

77%

22%

1%

Windows XP

46%

51%

3%

Windows Vista

77%

—

23%

Windows 7

85%

—

15%

Top of page Top of Page

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?