The Worm Returns: Protecting Yourself From Conficker
Even though the Storm worm managed to catch a lot of headlines over the last few years, worms as a whole made up only a tiny minority of the Web's worst malware in 2008. Trojans led the pack. Now, however, the Conficker worm has managed to wriggle its way into millions of systems, and companies must take steps to protect themselves from it, writes Top Layer Security's Mike Paquette.
In 2008, researchers were touting the defeat of the Storm worm -- the most notorious example of the malware category that self-propagates through remote exploits, email, network shares, removable drives, file-sharing or instant messaging applications. Some would argue that despite the name, Storm was not a traditional worm at all, since it required a human-computer interaction to spread.
Last year saw only two worms in the 20 most prevalent malware families, with trojans becoming the outright leader of malware categories, making up 46 percent of all malware, versus worms at 14 percent, according to the IBM ISS X-Force 2008 Trend & Risk Report. It seemed that the worm's impact, although still present, was relegated to causing smaller-scale hindrances versus its previously significant role in causing larger organizational disruptions -- a role that for much of 2008 seemed to be taken on by trojans and newer Web site attacks such as SQL injection and clickjacking.
Fast forward to 2009, however, and the worm has made a clear statement that it is back, smarter, more mature, and not going away any time soon. The Waledec worm, virtually identical to the Storm worm and likely formed by the same controllers, has found new ways to avoid detection and recently took over Storm's annual February ritual of sending malicious Valentine's Day e-mail greetings to grow a botnet. Even more significant, the new Conficker worm has spread to unprecedented levels, estimated to have infected anywhere between 2 million and 10 million computers, with no clear discovery yet of how these computers' resources may be used by cybercriminals.
With Microsoft offering a US$250,000 bounty to find the makers of Conficker, and with the German military, British and French Air Forces, and entire hospitals infected, Conficker poses a severe threat to vital organizational functions. The best way to understand how to protect against this advanced worm -- and the inevitable worms that will be developed based off its "success" -- is to understand how Conficker has spread thus far.
Something Old ...
In October 2008, Microsoft announced an out-of-cycle patch for a vulnerability (CVE-2008-4250) in its commonly deployed Server Service software that should have raised eyebrows in IT departments. For one, the vulnerability did not require any user interaction to be exploited, meaning that any unpatched computer running the software would be infected if exposed to an attack. Second, another worm, Gimmiv, had already been exploiting the vulnerability in limited capacity before Microsoft's announcement. Add in the fact that similar vulnerabilities in the past had led to rapidly propagating worm outbreaks (e.g. 2003's Blaster worm and 2006's Sdbot), and it is no surprise that the Server Service vulnerability received the highest rankings on both the Microsoft Exploitability Index and the Common Vulnerability Scoring System (CVSS).
Even with this clear warning, Conficker was able to quietly spread in the months following this announcement because nearly a third of enterprises did not patch their systems with the Microsoft update. This outcome offers two lessons:
- Organizations must put measures in place outside of their normal protocol so that they can quickly update their systems as Microsoft issues highly critical patches.
- Because patching on a macro scale is nearly impossible, organizations must implement other proactive measures to protect themselves before these vulnerabilities are even announced.
These measures include strict firewall policies and the implementation of intrusion prevention systems (IPS) to recognize and block the primary infection vector of this malware before it even enters a company's network and infects its computer systems.
Something New ...
Despite its peak size, Conficker's initial growth was very slow compared to past worms targeting similar vulnerabilities. The Blaster worm, for example, peaked within 8 hours, while Conficker didn't start dominating headlines until this January. While it would be easy to say that the initial slow spread of Conficker is a clear demonstration of the innovative next-generation security technology that has been developed over the past five years and the successful use of best practices at a majority of enterprises, the reality is that Conficker had a few other tricks up its sleeves.
Recognizing that a worm's rapid propagation activity could speed discovery and cause organizations to invoke radical measures to stop it in its tracks, the designers of Conficker used clever and complex algorithms to make sure that its scanning and infection activity did not raise alarms. The worm went as far as detecting the bandwidth available to its victims and adjusting its propagation rate to stay "under the radar" of many intrusion detection and behavioral anomaly systems.
Something Borrowed ...
Like other multi-headed threats from the past, such as Code Red, Conficker did not stop at exploiting systems through their critical software vulnerabilities. The creators of Conficker also built in alternative attack vectors that would allow the worm to grow where other worms might die off. These creative additions include a forceful password breaking capability which seeks out servers nearby infected computers; an ability to spread to any shared networks or hard drives; and the power to copy itself to any device inserted into a USB port, whether it is a flash drive, MP3 player or digital camera.
For organizations to defend against these secondary vector attacks, it is important that they consistently update antivirus (now that most security software has the ability to identify Conficker) so that infected computers can be identified and isolated from access to shared networks or connected USB devices until they are cleaned. Organizations should also evaluate their access management policies to determine who has access to any shared networks where the Conficker worm could be introduced outside of company computers.
Additionally, organizations should strongly consider strengthening their enterprise-wide password policies, ensuring that passwords are complex; use a variety of numbers, letters and symbols; avoid dictionary words in any language; and do not use passowords that repeat themselves across systems or contain variants of another password.
What Will It Do?
For all the talk of the Conficker worm, researchers still have not witnessed any malicious attacks on its behalf, and that raises the question of what its organizers plan to do with the millions of computers they've taken over. There is a wide variety of attack possibilities when the collective power of these computers is tapped, including the delivery of millions of spam emails, denial-of-service attacks against organizations or governments via a botnet, or the theft of corporate data and cyber extortion. Some researchers say that Conficker has a design flaw and cannot execute these attacks; however, new variants of Conficker, such as Conficker B++, have emerged with the capability to download software that makes the worm more capable of controlling its infected machines.
Will Conficker's attacks come about before it is eradicated? If they do, will the same next-generation security technologies that slowed Conficker's initial growth be able to protect your organization if it becomes a direct or collateral target? While it's impossible to predict with certainty, it is likely that any Conficker attack activity will include denial-of-service attacks and additional propagation attempts. By implementing advanced firewalls and IPS, organizations can reduce the likelihood of additional computers being compromised, protect against denial-of-service attacks, maintain network uptime and avoid potentially costly disruptions to their business.
Thus far in 2009, we've seen that the worm has found a new way to survive, like many forms of malware do, by marrying a new twist to an old idea. Hackers will always be creating new ways to exploit companies' systems, and therefore, the best protection is not only to quickly react to patches as with Microsoft's October Server Service vulnerability, but also to be proactive with a defense-in-depth strategy that includes a variety of technologies such as IPS, firewalls and antivirus combined with the proliferation and diligent application of user education. The Conficker worm and the new worms of the future will thrive on those organizations that do not follow these practices.
Mike Paquette is chief strategy officer at Top Layer Security, a provider of intrusion prevention systems.