Latest news
The Conficker conundrum
Posted on 24.03.2010
Security experts estimate that Conficker, a particularly malicious worm, targeting MS Windows, has already infected more than 7 million computers around the world.
Conficker was, without doubt, the most significant piece of malware active throughout 2009, not just because of the media attention it attracted or the number of computers infected worldwide, but also because it represented a leap back in time to the era of massive virus epidemics.
More than a year has passed since Conficker first appeared, yet it is still making the news. The patch for the vulnerability exploited by Conficker was published by Microsoft in October 2008. Yet more than one year later, Conficker continues to infect computers using many advanced malware techniques and exploiting the Windows MS08-067 service vulnerability.
The spread of Conficker impacted all types of institutions and organizations. Victims included the British military, Ealing Council’s entire IT network was disabled for 4 days, and 800 computers from the Sheffield NHS Trust were infected as well as numerous other companies and organisations worldwide. Microsoft even offered a reward of $250,000 to anyone providing information that led to the arrest and conviction of the creators of this malware.
The Conficker worm, which by nature is a particularly damaging strain of virus, appears to be launching brute force attacks to extract passwords from computers and corporate networks. The easier the password, the easier it is for Conficker to decipher it. Once the passwords are detected, cyber criminals can then access computers and use them for their own ends.
So why is this still happening? Principally, because of its ability to propagate through USB devices. Removable drives have become a major channel for the spread of malicious code, due to the increasing use of memory sticks and portable hard drives to share information in households and businesses. After inserting an infected USB into an unpatched machine Conficker will be able to bypass the computer security and, by impersonating an administration account, drop a file on the computer system. It will also try to add a scheduled task to run those files.
Another reason for the longevity of this worm is that many people are using pirated copies of Windows and, in fear of being detected; they avoid applying the security patches published periodically by Microsoft. In fact, Microsoft allows unrestricted application of critical updates, even on non-legitimate copies of its operating system. Nowadays, most companies have perimeter protection (firewall, etc.), but this does not prevent employees from taking their memory sticks to work, connecting them to the workstation and spreading the malicious code across the network. As this worm can affect all types of USB devices, MP3 players, mobile phones, cameras, and other removable devices are also at risk.
What can users do to mitigate this threat? Users should firstly apply the patch to solve the security issue that lets the Conficker worm spread through the Internet (MS08-067); they then need other solutions such as a USB vaccine protecting not just the computer but also the USB device itself.
A security solution which is regularly updated and active should be enough to protect against Conficker and its variants but organizations should also habitually scan for vulnerable machines, disinfect infected machines using updated and active antivirus both on networks and stand-alone PCs and make sure their antivirus and security solutions are up-to-date on the latest version and signature database.
It is important to note that by just asking people to use a security solution, we should not expect to put a halt to the problem. Making users aware of the threats, teaching children at school how to use technology safely and responsively, and ensuring they have privacy in mind are equally important. Many users are unaware of the dangers, and living under the perception that the digital world is secure, and as we know, that is not the case. Preventative measures must also come from the ‘top-down’, legislating, chasing and punishing those that benefit from cybercrime and protecting critical infrastructure.
Author: Luis Corrons, Technical Director, PandaLabs.
Conficker was, without doubt, the most significant piece of malware active throughout 2009, not just because of the media attention it attracted or the number of computers infected worldwide, but also because it represented a leap back in time to the era of massive virus epidemics.
More than a year has passed since Conficker first appeared, yet it is still making the news. The patch for the vulnerability exploited by Conficker was published by Microsoft in October 2008. Yet more than one year later, Conficker continues to infect computers using many advanced malware techniques and exploiting the Windows MS08-067 service vulnerability.
The spread of Conficker impacted all types of institutions and organizations. Victims included the British military, Ealing Council’s entire IT network was disabled for 4 days, and 800 computers from the Sheffield NHS Trust were infected as well as numerous other companies and organisations worldwide. Microsoft even offered a reward of $250,000 to anyone providing information that led to the arrest and conviction of the creators of this malware.
The Conficker worm, which by nature is a particularly damaging strain of virus, appears to be launching brute force attacks to extract passwords from computers and corporate networks. The easier the password, the easier it is for Conficker to decipher it. Once the passwords are detected, cyber criminals can then access computers and use them for their own ends.
So why is this still happening? Principally, because of its ability to propagate through USB devices. Removable drives have become a major channel for the spread of malicious code, due to the increasing use of memory sticks and portable hard drives to share information in households and businesses. After inserting an infected USB into an unpatched machine Conficker will be able to bypass the computer security and, by impersonating an administration account, drop a file on the computer system. It will also try to add a scheduled task to run those files.
Another reason for the longevity of this worm is that many people are using pirated copies of Windows and, in fear of being detected; they avoid applying the security patches published periodically by Microsoft. In fact, Microsoft allows unrestricted application of critical updates, even on non-legitimate copies of its operating system. Nowadays, most companies have perimeter protection (firewall, etc.), but this does not prevent employees from taking their memory sticks to work, connecting them to the workstation and spreading the malicious code across the network. As this worm can affect all types of USB devices, MP3 players, mobile phones, cameras, and other removable devices are also at risk.
What can users do to mitigate this threat? Users should firstly apply the patch to solve the security issue that lets the Conficker worm spread through the Internet (MS08-067); they then need other solutions such as a USB vaccine protecting not just the computer but also the USB device itself.
A security solution which is regularly updated and active should be enough to protect against Conficker and its variants but organizations should also habitually scan for vulnerable machines, disinfect infected machines using updated and active antivirus both on networks and stand-alone PCs and make sure their antivirus and security solutions are up-to-date on the latest version and signature database.
It is important to note that by just asking people to use a security solution, we should not expect to put a halt to the problem. Making users aware of the threats, teaching children at school how to use technology safely and responsively, and ensuring they have privacy in mind are equally important. Many users are unaware of the dangers, and living under the perception that the digital world is secure, and as we know, that is not the case. Preventative measures must also come from the ‘top-down’, legislating, chasing and punishing those that benefit from cybercrime and protecting critical infrastructure.
Author: Luis Corrons, Technical Director, PandaLabs.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
