Conficker spreads to 500,000 host botnet – users still unpatched

As a followup to my post on the Conficker worm in the wild, Trend Micro reported on Sunday that they have now seen over 500,000 infected hosts with this malware (which Trend call WORM_DOWNAD.A and is also known as Net-Worm.Win32.Kido.l). That’s a pretty incredible growth trajectory for the Windows RPC exploit which only became widely known on October 23rd. At this rate we could be seeing the birth of a rival to established botnets like Storm.

In ComputerWorld this morning, Wolfgang Kandek from Qualys pointed out how slow users were to apply Microsoft’s MS08-067 patch in October, ignoring the critical nature of the update and only reacting weeks later when Symantec and Trend Micro published news of Conficker spreading in the wild. According to the Qualys analysis, 70% of Windows machines they scanned remained unpatched six weeks later.

MS08-067 gave malware authors a previously unknown way to inject code into remote Windows systems via the RPC server. Conficker, Gimmiv.A and similar malware is a particular threat on corporate networks because the RPC flaw is exploitable across the local network. The RPC server can be exposed to attack even when a desktop firewall is running, simply by turning on file or printer sharing. As a result, a single infected employee or guest joining a network can expose the entire company to this exploit.

Avoid Dangerous Conficker Malware with Regular Network Health Checks

Unfortunately Conficker and malware like it is just the latest reminder of why it is critical to check the health of computers (including Windows patches and antivirus) with a technology like Microsoft NAP when they connect to the network.