They say the old ones are the best ones. Now malware from nearly ten years ago appears to be having the last laugh, as the Conficker worm returns to aid in infecting machines with WannaCry.
Conficker was first detected in 2008 when it hit millions of computers in over 190 countries. According to Rodney Joffe, senior cybersecurity technologist at Neustar and US government Cybersecurity Intelligence Panel member, who led the original Conficker Working Group, machines that have old Conficker on them were “targeted after the launch of WannaCry by intelligent criminals who realised that the Conficker machines were unpatched, had been originally compromised by the SMB vulnerability, and they started sinkholing Conficker domains to generate a list of vulnerable targets, and they went after them.”
In an exclusive interview, Joffe said that Conficker was derided and ignored by many organisations six or seven years ago, because aside from the first couple of events, people said it doesn’t do anything anymore, so why go through the bother of rebuilding a machine just for it?
“This is the wrong attitude, and has supported the ongoing existence of a ticking cyber time-bomb,” he said. The Conficker Working Group has continued to monitor Conficker infected systems via the DGA (Domain Generation Algorithm) process of infected machines. He said that there has continued to be around 600,000 infections per year for at least the past five years.
“Yes, even today! In addition, we continue to receive reports and see telemetry confirming that new systems continue to be infected as old ones are taken offline, or just replaced because of age. But the number stays pretty constant.”
Joffe said that WannaCry makes use of the Port 445 SMB vulnerability and the criminals responsible for WannaCrypt no doubt understand this.
“So as expected, either inadvertently or by design and reconnoiter activities, a measurable number of machines that are infected by Conficker have now also been hit with WannaCry. Most of these machines would have likely been protected if the operators had taken the necessary steps to remove Conficker and implement the recommendations for Conficker,” he said.
Joffe added that it is highly unlikely that any machines that were disinfected properly from Conficker would have been affected by WannaCry or any of the other two or three variants utilising the SMB vulnerability because they would have been patched because of the Conficker remediation.
“We see NO evidence that Conficker has been activated and used as a delivery method. But it is certainly a major enabler of WannaCry,” said Joffe.
Joffe said that the moral of the story was “don’t ever again leave malware on a system because it seems to have run its course”.
“Make sure you now go and remove Conficker from systems that are still infected. This will happen again. Remember that from the day your system got or gets infected, it will stop doing updates or patching. The bad guys can see that readily,” added Joffe.
This article originally appeared at scmagazineuk.com