Asia's Source for Enterprise Network Knowledge

Thursday, October 23rd, 2014

Intrusion detection / analysis / prevention

Microsoft Conficker worm offers attack prevention lesson

Conficker is a particularly scary worm/bot because the millions of infected machines have yet to download the payload, which has caused imaginations to run wild contemplating the potential damage it has caused. Although some security researchers say a payload may never be issued, the worm is still generating a lot of buzz in the security world and it may have kicked some security professionals into gear to more actively address network attackthreat prevention.

The big lesson of Conficker taughtfor enterprise security teams is to ensure that the business has layers of varied technologies in place, not layers of the same technologies by different vendors. Conficker spreads through shared file devices like a worm, reaches through the Internet to download malcode fragments like a bot, fluxes DNS like spam attacks, and left unchecked, will probably send secrets to a remote site like data theft spyware. There is little about Conficker that security professionals have not already seen before, and will undoubtedly see again. It is, however, a good reminder for IT to take active steps to prevent damage to their networks such as:

  • Patch, patch, patch. Microsoft published the patch, MS08-067, on October 23, 2008. That gives IT 4 full months to feel comfortable that the patch plugs the vulnerability that Conficker.A and Conficker.B exploit. Check all Windows machines to be sure this patch has been applied, and be aggressive in applying desktop patches.
  • Update black list signatures to block known attacks. Be sure antimalware products are enabled and up to date on endpoints, servers, and gateways. These products are also the best chance at effectively removing Conficker.
  • Deploy white list functionality to catch new attacks. New attacks modify installed executables to run the malicious code. White listing identifies changes to installed files allowing IT to block execution of the attack.
  • Monitor network for command and control traffic. Bots need to use the Internet to propagate, conduct a command and control conversation, and deliver its payload so the attacker can profit. Network devices can spot traffic to or from unsafe domains.
  • Be prepared to efficiently refresh endpoints. Even with heroic IT efforts, there will be successful attacks that can'not be cleaned from endpoints. Plan ahead to cut the costs of refreshing endpoints, including frequent automated backup of user data to minimize the risk of lost work.

A multi-vendor coalition, led by Microsoft, ICANN , and Symantec, has been formed to block the domains used by the Conficker/Downadup worm to phone home and receive its orders. The coalition is an excellent idea as it is very clear that a single security technology cannot be expected to stop modern attacks. It is too soon to tell if the coalition will have an impact on Conficker, as ideas from coalitions can take time to find their way into products. My guess is that the $250,000 reward that Microsoft has offered will have a more immediate impact. In the meantime, the best thing security researchers can do is to issue a 'condition red' warning so enterprises have a chance to help themselves. IT should use this warning to review its technology and procedures to prevent security incidents from disrupting the business.


Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com.