Conficker still a threat, one year on

Saturday marked the first anniversary of the detection of the first variant of the Conficker virus.

One year ago, on November 21, what is now called ‘Conficker A' was detected, a virus which propagated itself through the internet by exploiting a vulnerability in a network service (MS08-067) on various Windows operating systems.

Microsoft released an emergency out-of-band patch in October last year to close the vulnerability, but many PCs remained unpatched as late as January 2009. Further variants were detected in December 2008 and late February 2009, with the D variant that utilised P2P file sharing detected only a few days after the widely predicted ‘meltdown' on April 1.

In February, Microsoft and other ‘technology industry leaders and academia' co-ordinated a response designed to disable domains targeted by Conficker. Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the internet. To date, there have been no convictions around Conficker and the bounty remains unpaid.

Amrit Williams, CTO of BigFix, claimed that the biggest damage caused by Conficker was to the egos of IT managers who were embarrassed yet again to be fighting off an old-fashioned mass infection worm attack.

Williams said: “Publicity surrounding Conficker led to floods of end-user calls to help desks and organisational senior managements asking uncomfortable questions about whether this Conficker worm they were hearing about had spread to the organisation's computers.

“Even here, IT leaders were getting off lucky. If senior management had even a couple of ounces more sophistication they would have beaten up IT leaders on how poorly and inconsistently the organisation's computers were managed to close the vulnerabilities that gave Conficker a foothold. Worse, honest IT leaders would limit their careers by confessing to how little they really know what is going on in the infrastructure.”

Williams further agreed that Conficker did act as a wake-up call as it pointed out the unacceptable state of security configuration management and lack of situational awareness. However, he claimed that like many wake up calls, it wasn't long before a lot of people hit the snooze button and went back to sleep.

As for what has been learnt, Williams said: “Conficker is still out there. It's supposedly lying dormant and will wake up a given time or when fed some kind of signal. But we really can't say that we've defeated it until we defeat the complacency that provides it favourable breeding conditions.

“Managing risk against future Confickers will involve maintaining infrastructure at the most up-to-date configuration levels, being able to see disturbances in machine and network behaviour as they happen, and being able to apply remedies quickly and thoroughly throughout an infrastructure when they become available. This requires discipline and tenacity, all too rare qualities encountered in enterprise IT programs.”

In agreement was Rodney Joffe, senior vice president and senior technologist of Neustar and a director of the Conficker Working Group, who said that people have been ignoring Conficker. He said: “Because their networks have not yet been hit, and then suddenly someone with Conficker connects, and ‘boom', they are fully involved in a firefight.

“There are other meltdowns each day. We see them on our end. It is just that the victims in private industry don't talk about it, because it is embarrassing. So it is not a matter of time. It is here.”

See original article on scmagazineuk.com