Want to Clean Conficker/Downadup Worm? You May Need To Start Where You Are NOT Looking
I just finished up a discussion with Randy Abrams from ESET about the Conficker/Downadup Worm . The interview will post in a few hours on Data Security Podcast, Episode #36. Randy is a smart security guy, I want to dive into this topic a bit more than I was able to do in the discussion with Randy on the Data Security Podcast.
The focus of many postings I have read on this worm is typically in one of three areas:
1. “This is the biggest worm EVER!” “The sky is falling!” “The end is near!”
2. Apply the following tools to help clean the worm
3. Disable AutoRun on USB ports
The real story here is that the Conficker/Downadup Worm appears to be a small-grade attack, that appears to be focused on selling fake anti-virus software. The attack punches holes in networks, that in many cases, already have very serious security vulnerabilities.
In a previous posting I warned that the Conficker/Downadup Worm is a wake-up call for those that don’ t have any controls on removable media (you know who you are). If ANYONE on the network can plug in a thumb drive, or iPod, or a USB photo frame, including the CEO, CFO, HR, VP of Sales, Admins, then you have a much bigger threat than the Conficker/Downadup Worm.
Many times I hear CIOs tell me that he has shut down USB access. I respond, “For EVERYONE?” And, if the CIO is being honest, he says, “Well, we had to make an exception for the following departments/users ___, ____, and _____, as they must have access to some devices.”
Those exceptions, without compensating controls, breaks the security principal of total mediation – only allowing one way in and out of a system. It is this lack of total mediation that is helping spread the Conficker/Downadup Worm. The good news is that there is great software that can control these physical ports, limit access, provide for access control rules for those that need access, log activities and files, and even encrypt data. My favorite tool for all of that is DeviceLock (disclosure: They have been a sponsor of some episodes of the Data Security Podcast).
Beyond USB, the Conficker/Downadup Worm is a wake up call that now is the time to request the budget for a security audit. The Conficker/Downadup Worm demonstrates that too many organizations have poor patching, poor password management, and poor anti-malware protection. And, in my experience, these organizations do not have adequate layers of security in other areas.
In these tight budget times, I am aware that is is difficult to get budget to do anything “new.” This is a hard sell if you have not had a recent security audit and vulnerability assessment. At the very least, I recommend that you memo the right people i the organization about these risks, and if they reject an audit, then the decision was on their watch. If you don’t inform them, and a far more serious attack or breach than the Conficker/Downadup Worm hits you, you will get the blame.
As Randy Abrams points out, there a throngs of “hackers” attacking areas of your network with attacks that don’t have famous names, and don’t get a headline in the paper. Those are the one’s to be really scared about.