CYBERSECURITY

Microsoft battles worm, rebuts CERT Claim

Microsoft is trying to control the Conficker worm on two fronts: both the bug itself and news about how it's handling it.

Microsoft is still trying to control the Conficker worm, both the bug itself and news about how it's handling it. Conficker first surfaced in October of 2008 when Redmond patched a flaw in Windows' remote procedure call requests.

On Thursday, Roger Halbheer, chief security adviser for Microsoft's Europe, Middle East and Africa Group, disputed findings in an alert issued by the U.S. Computer Emergency Readiness Team (CERT).

CERT suggested that the Windows AutoRun feature, which could be tapped to run malicious programs in Windows environments, should be disabled. Doing so would limit the spread of bug strains like Conficker. Moreover, CERT described Microsoft's guidelines for disabling AutoRun as ineffective, exacerbating the vulnerability.

Halbheer objected to CERT's claim in his blog post. He pointed to a Knowledgebase article describing how Windows users can disable the AutoRun registry key and prevent incursions from removable media, such as USB flash drives.

Microsoft faces a tall order in getting out the word that a fix exists, while quelling the concerns of users and system administrators. It's a global problem, too.

"Quenching the outbreak is going to be difficult due to the ISPs not wanting to get involved with supervising the traffic of their users," said Phil Lieberman, president of Los Angeles-based Lieberman Software. "Consumers cannot shut down those that are attacking them since they would be legally liable and the government is prohibited from stopping the outbreak because there are no laws that allow it because of offshore control of the botnet."

Lieberman added, "I have to tell you, it's a good day to be a cyber-criminal running a botnet, and an even better day to be an antivirus vendor."

The Conficker worm may be one of the largest botnet bugs ever created. It got its name from a circle of German hackers and security researchers. It's not clear to what degree the Conficker worm is slithering around the world. Reports have suggested that as little as 2.5 million to as many as 10 million PCs have been infected.

Conficker primarily spreads through an unpatched Windows-based network, but it can also be transported from an infected computer via a USB flash drive. It spreads faster over a shared network. If one machine in an organization is infected, the worm can then spread -- even to already patched machines, according to Eric Schultze, chief technology officer of Shavlik Technologies.

"The worm on the infected machine connects to other systems, enumerates their user accounts, and attempts to brute-force guess the passwords for these accounts," he said. "If successful, it then logs on to that machine and copies its worm payload to that machine, where that machine then begins looking for other machines to infect."

A recent Qualys Inc. survey found that more than 50 percent of machines get patched after approximately 30 days. With the end of January approaching, the Conficker worm has already proved its staying power.

The slow patching cycles of many enterprises could be contributing to the spread of the worm, according to Qualys' Chief Technology Officer Wolfgang Kandek. Qualys' scanning data indicates that many machines are not patched yet, more than two months after Microsoft's patch release.

"Overall the IT community is not reacting fast enough," he said. "Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects."

Randy Abrams, director of technical education for ESET, said that most of the infections are coming from the corporate space.

"This means that standard security basics are not being enforced," Abrams said. "Perhaps businesses are not investing in security…. Maybe businesses do not know how to evaluate competent security professionals to put in charge."

Not having the time to patch doesn't cut it, Abrams suggested.

"We needed time to test' is not an excuse for not having deployed the patch for MS08-067," he explained. "If there is a legitimate reason for not having deployed the patch, then there should be many other layers of defense that should be in place for protection."

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Reader Comments

Thu, Jan 29, 2009 Eirik Iverson blueridgenetworks.com

Conficker starkly reminds us that ordinary signature-based AntiVirus/Spyware technologies are not enough, more is needed. The same can be said of other malware exploiting vulnerabilities in the applications that run on our computers: http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal Cheers, Eirik

Tue, Jan 27, 2009 Washington, DC

It appears that this worm is responsible for another data breach at USAJOBS. From the articles that are posted around the web, there appears to be an unknown amount of PII exposed in this most recent attack. Why is nobody providing information on how big the problem is? Is OPM and Monster going to provide credit monitoring services to all its users? Why was this not reported to USCERT?

Tue, Jan 27, 2009 Washington, DC

It appears that this worm is responsible for another data breach at USAJOBS. From the articles that are posted around the web, there appears to be an unknown amount of PII exposed in this most recent attack. Why is nobody providing information on how big the problem is? Is OPM and Monster going to provide credit monitoring services to all its users? Why was this not reported to USCERT?

Sun, Jan 25, 2009 Raskolnikov

I, for one, am still mystified as to how Microsoft can continue to maintain such high desktop OS market share, especially in the enterprise. I'm not on an anti-MS rant here, but how many global infections caused by OS flaws do we need to spur interest in other products? Especially with more and more software moving to web based, Java, or Citrix type environments, it would seem that picking most insecure desktop client isn't a great idea unless absolutely necessary. I say it's time for a change. Microsoft has had decades to prove they can provide a secure desktop OS, and have failed miserably. The problem is not with administrators, end users, or even the virus coders. The problem is Microsoft producing a desktop OS filled with exploitable flaws version, after version, after version... Compare the philosophy of OpenBSD to that of Microsoft and you can see it clearly illustrated. Sure, OpenBSD "wastes" a lot of time with silly concepts like "correctness" and "security", but how many OpenBSD infections have you heard about recently? OpenBSD probably isn't what I'd call "enterprise friendly" at this point, but Novell, Ubuntu, and Red Hat (among others) have robust product offerings in this area. Windows home users, come on. Unless you're a gamer why continue to infect yourself and the rest of the world with malware? 99% of the PC problems people call me about are malware related. You will not have the same problems with BSD, Linux, or Mac.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above