Internet Security Systems - AlertCon(TM)

Thoughts on Conficker

Posted by Tom Cross on January 29, 2009 at 5:13 PM EST.

We continue to get inquires about Conficker (AKA Downadup) so I thought a blog post might be in order. There are a few key points that are worth reiterating:

1. Its not about MS08-067.

You can't just install that patch and forget about it. You could still get infected.

The Blaster Worm back in 2003 exploited a similar Microsoft RPC vulnerability and it literally exploded onto the Internet, reaching peak propagation in 8 hours and infecting most of its victims within a week. This worm showed up on the scene in late November and wasn't much of a story until January.

Why is the pattern different? Its different because people are much better at managing vulnerabilities like MS08-067 in 2008/09 than they were in 2003. People use automatic Windows Update. People use IPS. Our customers have been protected since October. Many wormable vulnerabilities have come and gone in the past couple of years without major outbreaks. Its not as if worms targeting those vulnerabilities didn't propagate, its just that they weren't very successful.

Blame for Conficker's success has been laid at the feet of certain percentage of enterprises who have extremely long security patch testing and deployment cycles. We don't think waiting three months to deploy a security patch is a very good practice, and if you must do that we certainly think you should supplement your lack of patching with Intrusion Prevention. But we also don't think that is the primary culprit in the case.

Conficker is a very sophisticated worm with the ability to download updates. By January, when this worm really started to make headlines, it had morphed into a blended threat with three propagation methods:

1. MS08-067

2. Copying Autorun files to every mapped drive and removable media

3. Cracking SMB passwords

Its those alternate propagation methods that have really helped this thing along. Therefore, patching yourself against the first propagation method is not enough to protect your network.

2. Look at your computer security comprehensively.

Passwords: It is amazing to me that almost 20 years to the date after the Morris Internet worm we have another successful worm that propagates by cracking bad network passwords! Hasn't everyone learned to enforce strong password policies by now? Apparently not, and so this bares repeating. Make sure strong passwords are required on your domain. Watch for password cracking attempts on your IPS consoles. Use Enterprise Scanner to check for weak passwords. I'm also fan of using underground password cracking tools proactively, and emailing users who's passwords have been discovered this way. Better I learn their password than someone who is trying to break into my network!

Autorun: Disable it. Worms love it, you don't need it, and this will not be the last time it is implicated in a major security issue. People can click on a CD drive icon and run programs manually. That is not too much to ask.

File Sharing: How are you managing file sharing in general in your business? Its not a good idea to have grass roots drive mapping going on between users, and its not a good idea to have a lot of USB tokens in circulation. Turn off file sharing on desktops. Provide managed file servers to your users, with good anti-virus, and teach your users to take advantage of them. If they need to receive files from an external source, tell them to use email, where the files will hit your network gateway AV scanners. If you are too aggressive about limiting email attachment size and too stingy about file server storage space, you force your users to come up with creative means of exchanging large files that you can't control, inspect and protect. As a security professional, its your job to give people a safe way to do what they need to do. Your network stability will be all the better for it.

Everything else: Conficker is not the first or the last blended threat that we're going to see on our networks. A comprehensive approach to computer security is the only way to keep your business free of sophisticated threats like this. If there is a hole in your defenses, these worms will find a way through it.  

3. This may end badly.

F-Secure is reporting that as many as 10 million nodes might be infected. Many of the nodes are in BRIC, but there are also several western countries with widespread infestations as well as some other major Asian economies that are affected. Right now the only thing Conficker does is propagate, but this worm can update itself, and there is no telling what kind of malicious functions might be pushed down in the future. If you have infected nodes on your network, clean them up. All it takes is one infected machine to create problems for you if and when this thing morphs again.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.