COLUMN

Conficker leaves security industry looking clueless

By Eric Ogren 04 Apr 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Conficker-fed doomsday scenarios fed to us by security vendors and trade press has come and gone without the big disaster. The IT world on April 4 looks a lot like the IT world on March 31. It is almost disappointing, just as a forecasted winter storm that misses the mark – nobody wants to see property damaged, but a good storm is captivating and fun to watch. Conficker, also known as Downadup and Kido, was primed to start seeking its payload using a wider range of domains on April 1. The over-hyped storm has thus far turned into a dud, leaving the security industry looking clueless once again.

The focus leading up to April 1 has been on the details of Conficker, a fascinatingly creative attack. There is much to admire about the attack: the clever ways it uses the Web for command and control, the addition of peer-to-peer protocols and USB devices to propagate, and the overnight establishment of a botnet comprising over 3 million computers that are poised to execute whatever malicious code the attackers choose to disseminate. This was created by a small team without the benefit of QA cycles, customer beta tests, or high-level architecture reviews. Conficker is impressive in how fast it has reached mass-deployment and utterly baffled the security industry.

SearchSecurity radio:

The day after Conficker's start date, Kaspersky posted "Worm.Win32.Kido Danger: moderate risk". That statement has become a "business is normal" status since we will never see low or no risk levels again. The security business is one to worry about the downside risks of IT, and every once in a while it suffers through the indignities of events like Y2K and Conficker where the reality does not justify the hype. The true Conficker story may well turn into an introspective of the security industry and the opportunities to do better. It will start with hard questions of security vendors and service providers.

• How can we not know what happened? The first three days of Conficker.c have come and gone without disaster, and the security industry does not know why. Perhaps the $250,000 reward sponsored by Microsoft scared off the attackers before they could activate the malware downloaders. Perhaps the coalition of vendors cut off command and control communications with intelligent DNS actions. Perhaps enough consumers upgraded their endpoint security software. Perhaps the attack is not really gone and the attackers just had a professional schedule slip in development of their malicious code. Or perhaps we just got lucky. The point is that an industry north of $30 billion doesn't know. As well, it can't predict disaster nor can it issue an "all clear."

• How can a vulnerability that was patched 6 months ago be leveraged by the widest spread malware in history? Microsoft issued patch MS08-067 in October 2008, and yet 6 months later, Conficker is thriving. The responsibility for a solution needs to be shared between Microsoft, Service Providers and security vendors. With all of the hype and time to prepare, we cannot easily identify computers that are infected. The present scenario is appallingly inept.

• Why does the security vendor response seem so amateurish? Security vendors always seem to have trouble speaking in terms that consumers can understand. Kaspersky suggests opening www.kaspersky.com in your browser and that you'll know you're probably infected if the page does not open (i.e., the consumer figures out if they're infected). Symantec says, "The best way to know if you are infected is to run a good antivirus product." (Think about that – if Symantec's antivirus product was good, why would the computer be infected?). Sophos says, "If you are running Sophos antivirus, you do not need to disable HIPs while you're using the Sophos Conficker Cleanup Tool. Whilst this tool should not conflict with other antivirus products, the nature of the tool means it may be blocked by behavior-based (HIPS) functionality within non-Sophos antivirus solutions." (Again, if I'm running Sophos antivirus why would I need a cleanup tool?) It seems that every endpoint security vendor solves the Conficker problem to sell their product, but really the problem is not solved.

Conficker is still with us. There is no credible researcher that I've talked with who can say the danger has passed and that the botnet will not find a way to download powerful attack code. I better understand Microsoft's foray into security – the attacks leverage Windows vulnerabilities and Microsoft has a responsibility for safe computing. Consumers and enterprises are buying endpoint security suites because they do not have any viable alternatives. While I believe in endpoint security and independent security vendors, I also believe that the present security model is severely broken. The above unanswered questions are embarrassingly basic. There has to be a better way.

Tags: Malware, Viruses, Trojans and Spyware,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Windows Security: Alerts, Updates and Best Practices Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary