Risk, Group Think and the Conficker Worm
Dave KennedyMarch 26th, 2009
Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.
Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.
The “transformation” version C will undergo beginning on April 1st is only partially understood by the security community. The aspects that are unknown, combined with the absence of hostile activity we’ve come to expect, are being used by various groups as best befits their own nature. Honest or true security professionals recognize it is an opportunity to reinforce security awareness and safe computing practices. Anti-virus companies, appropriately so, recognize it is an opportunity for both sales and forthrightly to contribute to the security of their customers. Technical and general media, charitably, are helping spread awareness but are doubtless exploiting this to fill column-inches and generate revenue of their own. Unfortunately, some in our community have crossed the wide gray line between selfless awareness and selfish self-promotion based on the attractiveness of this issue. Regrettably, they have been caught up in the hyperbole and seem to have lost perspective on what the risk environment is versus what it might be. They have done this to the point of imagining catastrophes with neither precedence nor evidence.
Conficker is just another worm for Verizon Business customers and others with efficient, effective information security architectures. They have agile defenses-in-depth for criminal code. They have conservative, essential configurations and network segmentation. They have NAC, perimeter and gateway configurations and defenses. They have instrumentation to detect criminal network activity in the form of firewalls, IDS, IPS, honeypots and DNS logs. They have security awareness.
And our customers have collaboration amongst ourselves for the uninterrupted security and operation of our information systems. Regardless of what Conficker does or does not do in the future, we already have the defenses and tools ready for Conficker. We will be ready for, adapt to and defend ourselves from whatever the criminals come up with next.
With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact on operations. A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes. In one study a large proportion of infected machines were simply discarded because a current user of the machines did not exist. This corroborates data from our DBIR which showed that a significant majority of large impact data breaches also involved “unknown, unknown” network, systems, or data.
Conficker is a worm that spreads by various methods including removable media, password guessing and exploitation of the Server Service vulnerability patched by MS08-067. Version “A” appeared in late November, about a month after the patch was released. “A” spread only by an RPC request to the Server Service vulnerability and infections were limited.
Version “B” appeared in late December and introduced password guessing, removable media infection vector and an improved command and control system using peer-to-peer (P2P) connections. A sub-variant of version B included a new backdoor that has not been observed in use. Version B also manipulated DNS lookup, turned off Windows/Microsoft Update and introduced code-signing.
Version C was an update to version B that removed propagation routines but improved C&C by HTTP and P2P and added AVKill, a common technique used in crimeware to disable any running security software including AV and host-based firewalls.
The best available technical analysis of Conficker was published by the Conficker Cabal and SRI. They have recently added an Addendum for version C.
With respect to risk, Conficker has little to offer in the form of innovation.
- AVKill and DNS manipulation has been “standard accessories” in crimeware for a few years.
- The P2P C&C is different, but not innovative, as the outlaws have been migrating away from IRC bots towards P2P and other more sophisticated C&C for a couple of years.
- Conficker is remarkably different in that it hasn’t really delivered a payload as of this writing. Speculation abounds regarding what Conficker might do, but it’s all just speculation at this point.
- Many, if not most modern crimeware installs a rootkit and Conficker does not. Its AVKill includes disabling one anti-rootkit and several tools that are useful for rootkit detection.
- Some anti-virus researchers believe it is likely Conficker will try to generate revenue via rogue anti-spyware and anti-virus, and only their analysis has any foundation in fact.
- Arguably, Conficker is relatively low risk because the costs or losses it causes are relatively minor because no hostile payload has appeared.
No one, probably including Conficker’s master(s), knows how many infections there are. The Microsoft Malicious Software Removal Tool has been detecting and removing Conficker infections since February’s Microsoft Tuesday. All other significant anti-virus companies detect and remove it. Most have free utilities for Conficker detection and removal. There is no way to know how many systems have been infected or how many have been disinfected or removed from service.
Current intelligence indicates version C does not run reliably. That is, only a portion, possibly a very small portion, of “C” infections will succeed in “phoning home” for whatever nefarious updates may await. This underscores the importance of continuing to find and remove Conficker B infections and continued use of IDS/IPS and network management techniques to block the 250 domain/day Conficker B phones home to.
Security and system administration professionals should anticipate a version “D” update to some portion of version “B” infections. There have already been two windows of opportunity for the outlaws when they updated from version B to version C. It’s reasonable to expect more open windows and for the outlaws to fix bugs in version C.
Microsoft has several resources for the enterprise including: Conficker Worm: Help Protect Windows from Conficker.A and Conficker.B, and Centralized Information About The Conficker Worm. Your anti-virus vendor should have resources for their customers, see below.
Consider tuning IDS/IPS and honeypots to detect and alert on Conficker network traffic. CERT-Austria has a useful document (PDF), Detecting Conficker on your Network.
Consider offering assistance to individual users as a prophylaxis to importing a perimeter-killing infection via a notebook or portable media. Home users can be directed to Microsoft’s home user page: Protect yourself from the Conficker computer worm.
ICSA Labs Anti-virus Certified Products
Tags: anit-virus, antivirus, Computer Attacks, Computer Crime, Crimeware, Hype, Information Security, InfoSec, Malware, Threat
If nothing else, the media’s interest in Conficker has propmted more users and admins to scan and clean their WIndows PCs!
Posted by: billso on March 31st, 2009 at 11:07 pmIt’s great that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this
Posted by: caffeine head on April 1st, 2009 at 4:40 amThese two comments represent the problematic way so many in the infosec world justify their existence, and which this blog routinely avoids. Spreading unjustified fear (”Crying Wolf”) is not somehow justified because ‘you’re sure’ it helped ‘a lot’ of people or because it somehow magically caused more people to scan their machines. Only accurate and consistent reporting builds the trust needed to establish security. Justifying panic because of unintended consequences is neither a good security practice nor a good business practice.
Posted by: JM on April 6th, 2009 at 10:41 pmJM, I invite your attention to the “About the Blog” link above. I want to thank you for your insightful comment, but I am not inclined to agree with you completely. “Billso” and “caffeine head” are both correct and accusing them of spreading FUD is going too far. The same “group think” I cautioned about in the main entry is now leading too many security professionals to join the parade of pointing fingers at everything about Conficker declaring “FUD!” You are absolutely right that consistent accuracy and precision builds trust and causing panic damages trust.
This blog is a platform to highlight information risk. The whole Conficker issue has certainly influenced information risk in both positive and negative ways.
“Billso” is right, there is little doubt significant events in the malicious code space spur users to practice better information security habits. They renew their AV subscriptions or install new AV. The word “firewall” re-enters their vocabulary. They examine their habits for risks.
Business leaders turn to their technology staff with “we’re covered about this Conficker thing right?” queries. These represent opportunities for IT and InfoSec staff to engage their leaders about not only Conficker but other issues they face. If nothing else, it’s an opportunity for the IT and IS staffs to develop relationships across the business. From this perspective, an unintended consequence of Conficker is it has helped us reduce total risk.
This is the primary reason crimeware authors have striven to “run under the radar” since the days of Sasser, Slammer and Code Red. They don’t want headlines to encourage users to safer habits. They do want to cultivate “what, me worry?” attitudes. In the past couple of months, their goals in this vein have been thwarted.
“Caffeine head” is also correct that Conficker has spared many from hardship for the same reason; they clean up their safe computing habits. I suspect “JM” is of the opinion that because Conficker didn’t “detonate” on April 1st, “caffeine head” was overreaching, but I’m reticent to make the same accusation. Every user who’s updated AV, or has been reluctance to click on “you need to upgrade flash to view this video,” has been spared hardship; especially those un-related to Conficker, courteous of other crimeware.
Conficker is a risk problem. Part of the problem is what we don’t know, and not knowing is causing us to spend time trying to understand it, time we could be devoting to other risk management activities. Part of the problem is the magnitude of infected systems. Our colleagues at IBM have recently blogged about their measurements of the size of the Conficker infected population at http://blogs.iss.net/archive/CountingConfickers.html
Conficker has helped us engage users and business leaders to build the trust I think JM wants us to build. The conversations we have, like this one, when we can set others straight on what aspects of the issue are hype and what issues really do represent risk; these conversations cultivate relationships and trust.
Posted by: Dave Kennedy on April 7th, 2009 at 3:53 pm