Conficker worm still haunts SEA nations: F-Secure

By Edwin Yapp October 13, 2014

SEA nations still facing 6yr-old threat in Conficker due to unpatched machines
Ransomware continues to plague users; Mac and Android malware on the rise

Conficker worm still haunts SEA nations: F-Secure

CYBERCRIMINALS have been developing more advanced malware and phishing schemes in the past few years, but that’s an unnecessary effort if they’re targeting South-East Asia, where many developing nations are still struggling with older attack vectors, according to F-Secure Corp.

In its latest half-yearly Internet Security Threat Report, the Helsinki, Finland-based cybersecurity firm said that 31% of the top 10 detections worldwide for the first half of 2014 came from the Conficker worm.

Also known as the Downadup worm, Conficker exploits the MS08-067 vulnerability in the Windows operating system (OS) to spread over the Internet, as well as through removable media and network shares.

“This worm has infected millions of computers in over 200 countries because six years after it first emerged, unpatched machines still keep Downadup [Conflicker] alive,” the report read.

“As in the previous half-year, it continues to be prominent in Brazil, the United Arab Emirates (UAE) Italy, Malaysia and France this year.”

READ ALSO: IT leaders on the harsh reality of cyber-protection

F-Secure Asia Pacific security advisor Goh Su Gim said the five countries above collectively contributed to about 80% of the spread of Conficker globally.

He said old worms like Conficker still top the chart of the most widely spread infections simply because there is a lot of unpatched Windows machines around.

“Cybercriminals attack in as wide a way as possible,” he explained. “As such, they focus on the weakest point, which is often the OS.

“Since there are a lot of unpatched machines out there, this worm still does the job,” he added.

Asked what nations in the region besides Malaysia face this problem, Goh said this trend is also prevalent in Thailand, the Philippines and Indonesia.

Singapore doesn’t seem to have this problem, but instead faces web-based attacks such as Java plugins and browser-type attacks, he said.

“Singapore experiences what more developed nations such as Hong Kong and Taiwan go through,” he explained.

“Because they are more developed nations, they have more machines which are patched with updated software, hence the lower occurrences of Conficker worm attacks.”

Besides unpatched machines, Goh believes that the rise of broadband in developing nations such as Malaysia, Thailand and Indonesia has also contributed to the Conficker worm spreading.

“There are no hard facts to back this, but my feeling is that developing nations’ exposure to broadband has caused more machines to be connected to the Internet, thereby also exposing them to more unpatched operating systems, which will then contribute to the spreading of the Conficker worm,” he said.

Held to ransom

Of particular interest in the first half of this year is the rise of ransomware, a type of malware that restricts access to the computer system that it infects, and demands a ransom to be paid to the creator(s) of the malware in order for the restriction to be removed.

According to the F-Secure threat report, this trend affects both desktop and mobile platforms.

The report said that although the June takedown of the Zeus botnet has somewhat hamstrung the spread of the Cryptolocker threat, ransomware as a whole continues to develop.

The first half of this year saw existing threats such as Cryptolocker updating their distribution, encryption and payment methods to stay ahead of law enforcement’s counter-efforts.

Ransomware has also made the leap to mobile, with the Koler threat being the first attempt at gaining a foothold on the Android platform.

Though this malware threatened to but doesn’t actually encrypt files, the Slocker ransomware that soon followed does. As is usual with Android threats, both these ransomware pretend to be legitimate apps in order to trick the user into willingly installing them.

F-Secure also highlighted the fact that Microsoft Windows XP had finally reached its end of life mark on April 8 this year.

The company firm noted that despite pressure to upgrade to Windows 8, anywhere from 10% to 30% of computer users worldwide are thought to still be using an OS that remains a ‘favoured target’ for attackers and is now no longer being patched.

“Though some users (particularly government and enterprise customers) have extended XP support, for most users security will become increasingly ‘self-service’ from now on,” the report read.

Mac beware
Conficker worm still haunts SEA nations: F-Secure
Another significant development is the fact that Apple Inc’s Macintosh family of devices is also being targeted, according to Goh (pic).

He said that while Windows machines are prime targets for cybercriminals, there is an increase in activities targeting Mac computers.

“Twenty five new variants of malware affecting Macs were discovered between January and June this year,” he said.

“Thirteen of these belong to five new families. Some of the more common names are Mask, Clientsnow, Laoshu, Cointhief, and Coinstealer,” he added.

As for mobile security threats, Goh said nothing much has changed as F-Secure investigated app store security in the first half of this year.

“Android remains susceptible with most [cybercriminals] using a fake but legitimate-sounding name (eg. com.software.app) for their packages,” he said.

While checking the software name remains a standard security precaution for desktop threats, Goh said the same advice is difficult to apply to Android threats as the package name is rarely displayed to the user, being visible on the device only for running processes under the ‘Settings > Apps > Running > Processes’ menu.

He advises users to remain vigilant about what they download, sticking only to reputable apps, as that is perhaps the only way to safeguard oneself from inadvertently downloading malware.