COLUMN

Microsoft Conficker worm offers attack prevention lesson

By Eric Ogren 24 Feb 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Conficker is a particularly scary worm/bot because the millions of infected machines have yet to download the payload. This has caused imaginations to run wild contemplating the potential damage it could cause. Although some security researchers say a payload may never be issued, the worm is still generating a lot of buzz in the security world and it may have kicked some security professionals into gear to more actively address network threat prevention.

Conficker reminds enterprise security teams to ensure that the business has layers of varied technologies in place, not layers of the same technologies by different vendors. Conficker spreads through shared file devices like a worm, reaches through the Internet to download malcode fragments like a bot, fluxes DNS like spam attacks, and left unchecked, will probably send secrets to a remote site like data theft spyware. There is little about Conficker that security professionals have not already seen before, and will undoubtedly see again. It is, however, a good reminder for IT to take active steps to prevent damage to their networks such as:

Microsoft Conficker/Downadup: Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer. Coalition forms to battle Microsoft worm attack, $250K reward offered: A coalition of more than a dozen organizations is working together to fend off the potential damage posed by the Conficker/Downadup worm. OpenDNS to step up fight against Conficker worm: OpenDNS is teaming with Kaspersky to bulk block Conficker worm domains, shutting off communication with the worm writer. Microsoft Conficker worm hits peak, but payload awaits: Security researchers are fascinated by the spreading Conficker/Downadup worm, but are unsure what kind of damage it will do to corporate networks.

• Patch, patch, patch. Microsoft published the patch, MS08-067, on Oct. 23. That gave IT four full months to feel comfortable that the patch plugged the vulnerability that Conficker.A and Conficker.B exploit. Check all Windows machines to be sure this patch has been applied, and be aggressive in applying desktop patches.
• Update black list signatures to block known attacks. Be sure antimalware products are enabled and up to date on endpoints, servers, and gateways. These products are also the best chance at effectively removing Conficker.
• Deploy white list functionality to catch new attacks. New attacks modify installed executables to run the malicious code. White listing identifies changes to installed files allowing IT to block execution of the attack.
• Monitor network for command and control traffic. Bots need to use the Internet to propagate, conduct a command and control conversation, and deliver its payload so the attacker can profit. Network devices can spot traffic to or from unsafe domains.
• Be prepared to efficiently refresh endpoints. Even with heroic IT efforts, there will be successful attacks that can'not be cleaned from endpoints. Plan ahead to cut the costs of refreshing endpoints, including frequent automated backup of user data to minimize the risk of lost work.

A multi-vendor coalition, led by Microsoft, ICANN , and Symantec, has been formed to block the domains used by the Conficker/Downadup worm to phone home and receive its orders. The coalition is an excellent idea as it is very clear that a single security technology cannot be expected to stop modern attacks. It is too soon to tell if the coalition will have an impact on Conficker, as ideas from coalitions can take time to find their way into products. My guess is that the $250,000 reward that Microsoft has offered will have a more immediate impact. In the meantime, the best thing security researchers can do is to issue a "condition red" warning so enterprises have a chance to help themselves. IT should use this warning to review its technology and procedures to prevent security incidents from disrupting the business.

Tags: Malware, Viruses, Trojans and Spyware,  Enterprise Risk Management: Metrics and Assessments,  Windows Security: Alerts, Updates and Best Practices,  Information Security Incident Response,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research Windows Security: Alerts, Updates and Best Practices Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary