Researchers from the Finnish security vendor F-Secure, estimate that at least one million computers have been infected by the Conficker worm in a single day. Their worldwide infections count now reads 3,521,230, while other security professionals blame the companies and home users for failing to install the critical patch released by Microsoft.
Back in November 2008, Microsoft rushed to release an out-of-cycle patch (MS08-067) for a critical vulnerability discovered in the Server service. The vulnerability is remotely exploitable, allows code execution, and affects Windows 2000, XP, Server 2003,Vista and Server 2008.
Soon after, the first worm variants exploiting this vulnerability started spreading across the Internet, with Conficker, also known as Downadup, being one of them. The Conficker authors integrated MS08-067 exploit code made available in Metasploit, an open source tool used for penetration testing.
“By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading,” Xiao Chen, malware analyst for anti-virus vendor McAfee, explained. “We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills,” he added.
An important percentage of the systems infected by Conficker comprises corporate computers, since the worm is very effective when it comes to spreading on local area networks. The latest variants introduced new propagation techniques to the already successful worm, providing it with capabilities to infect USB devices and network shares. “A single infected employee or guest joining a network can expose an entire company,” Todd Hooper, CEO of network security vendor Napera Networks, warned. “Isolate infected machines from the network now,” he stressed.
Cristian Craioveanu and Ziv Mador from the Microsoft Malware Protection Center, pointed out in an article published on the company's Threat Research & Response Blog, that Conficker removal capabilities were added to the January release of the free Malicious Software Removal Tool (MSRT). Both home and corporate users are urged to first install the MS08-067 patch, and then use the January MSRT version in order to clean the infected computers.
The two researchers also noted that a significant number of customers contacted Microsoft to ask for assistance regarding Conficker infections. “The countries/regions from which we received the highest number of reports are US, Mexico, France, UK, Spain, Canada, Italy, Brazil, Korea, Germany, Malaysia, and the Czech Republic,” they revealed. Meanwhile, F-Secure has released its own country-based statistics of Conficker infections.