Here, we look at four of the worst malware threats still hanging around business like a bad smell.
Conficker caused a global outbreak when first discovered in 2008. Exploiting unpatched flaws in Windows, the worm leveraged a variety of attack vectors – from injecting malicious code to phishing emails – to ultimately crack passwords and hijack Windows devices into a botnet.
Conficker infected up to 15 million Microsoft server systems running everything from Windows 2000 to Windows 7 Beta. The UK’s Ministry of Defense, the French Navy, the German armed forces, the Norwegian police and even Royal Navy warships were thought to be affected by this malware. Yet Conficker continues to impact organizations. In June, researchers at TrapX Labs found that clinical IoT medical equipment, running Windows XP and unpatched Windows 7 and 8, were being targeted by a resurgence of old malware such as networm32.kido.ib and Conficker. This is backed up by plenty of others.
Dave Palmer, director of technology at machine learning company Darktrace, says Conficker’s success owes largely to poor patch management. “What is surprising about the staying power of this infection is that patches have always been released by Microsoft very quickly, so it seems that there are a lot of unpatched Windows XP/Server 2008 machines that linger on in real businesses.”
Adding that Conficker most often spreads from spam emails (followed by USB sticks), Palmer believes Conficker’s continued success indicates poor network visibility. “Detecting Conficker so much highlights the enormous gaps in security visibility that many organizations have. This is not a subtle piece of malware, it can cause vast numbers of failed login attempts every day, it will cause large volumes of DNS requests to a sinkhole maintained by the FBI, almost any AV product should catch it, and it will constantly be attempting to move laterally within the business.”
Rodney Joffe, senior VP and fellow at analytics firm Neustar, agrees. “Conficker was derided and ignored by many organizations six or seven years ago, because aside from the first couple of events, ‘It doesn’t do anything anymore, so why go through the bother of rebuilding a machine just for it?’ This is the wrong attitude.”
Indeed, he adds that the Conficker Working Group and others have seen Conficker infections continue at “around the 600,000 level globally for at least the last five years,” although IBM X-Force research provided to CSO suggests the total event activity for Conficker in January until mid-August was just 1 percent of that of WannaCry, which didn’t surface until May.
Before Wannacry, ransomware was not so prolific, but there was one notable exception: CryptoLocker. Released in September 2013, CryptoLocker spread through email attachments and encrypted the user’s files so that they couldn’t access them. The criminal group would then send a decryption key in return for money. System restore did work on occasion, but many people still lost files that weren’t backed-up.
Sign up for CIO Asia eNewsletters.