Cleaning Up Conficker / Downadup Mess, and Reducing the Odds of Getting Stung
As of this writing, the Conficker/ Downadup continues to spread. Latest reports are that there are over 9 million systems infected so far. This posting will provide more details on the attack, how to know if you have been hit, and suggestions for clean-up if you think you are a victim. There will be more coverage of Conficker/Downadup in Episode 37 of the Data Security Podcast that will post Sunday Night.
First, some important background.
According to anti-virus experts, there are a number of factors that make this attack different than other recent malware attacks. First, there are three methods of infection:
1. USB devices, thumb drives, photo frames, MP3 players, PDAs, plug-in “chip” readers, OR
2. System accounts not protected by very strong passwords, OR
3. One system on a network not having the latest patch, either by poor planning, OR, by the malware turning off updates without an administrator’s knowledge
Second, the attack appears to have a high degree of morphing, making it very difficult to locate and kill. If just one un-patched laptop connects to your network, or just one wrong USB device is plugged in, you could get hit.
Third, according to the AV experts, the attack itself may be a precursor to a larger attack. Reports are that the worm is designed to send data to remote servers, using hundreds of possible domains, with new domains being created at a high rate.
With such a complex attack, you want to make sure that ALL Win2k, XP, and WIN2k3 systems have the patch “MS08-067” from Microsoft applied. For many, Windows Update will apply this patch. But, there are reports that the worm will quietly shut this service down. So, you want to double-check to make sure you are patched.
There are two ways to do that. You can use a patch checking tool. Secunia makes free tools that van be used by business networks and home users. Just visit this link: http://secunia.com/vulnerability_scanning . There is a bonus for using a tool like Secunia: Many systems have out of data third party applications, like Adobe Flash, Java, or iTunes, and attackers are counting on systems missing these critical patches to launch attacks. This would be an excellent time to update all software, not just Windows.
Or, you can launch Micosoft Internet Explorer -> Tools -> Windows Update -> Review your update history -> go back through you patches and look for : KB958644 in your update history. Many systems were updated before January, and you may need to go back to October or November’s patches, depending on your system. If you see the KB958644, you are patched.
Since the worm spreads via removable media (USB, CD, Firewire), I suggest that you get DeviceLock security software to control all removable media. Many reports I have read on this attack are overly focused on disabling Windows autorun on USBs to stop part of attack. But that won’t protect certain versions of this attack that, according to reports, trick users into executing (“clicking on”) the malware when the USB dialog box appears when a device is plugged into a Windows computer. While this attack is called a worm, in reality, it appears to be a blended threat, with behaviors of both worms and viruses, according to reports. Disclosure: DeviceLock has been an advertiser on the Data Security Podcast in the past. I recommended the software for a long time, actually, long before the invention of Podcasting. Why? DeviceLock has granular controls, excellent logging, key logging detection, native to group policy, and supports open source encryption. And, it’s very inexpensive.
The worm also attacks weak passwords. You want to “upgrade” all passwords on your network to strong passwords. With current computing technologies, that now means, 15 characters or more (20+ is better), with upper and lower case letters, numbers and punctuation. Think pass phrase, rather than password. People resist doing this, and the bad guys are counting on it.
Let’s move on to the indications, according to Microsoft, that your systems have been hit by Conficker/Downadup:
“If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
* Account lockout policies are being tripped.
* Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
* Domain controllers respond slowly to client requests.
* The network is congested.
* Various security-related Web sites cannot be accessed.”
And more from Redmond on how to clean up the mess once you have been hit: “The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.
You can download the MSRT from either of the following Microsoft Web sites:
As I have talked about in previous postings on this topic, if you are worried about being vulnerable to this attack, you probably have much larger security issues.
When was your organization’s last security audit?
Are you running intrusion prevention AND anti-virus at the gateway? I have found many network administrators that say YES to that, but upon audit, they are only running intrusion prevention at the gateway, and they are depending on one AV vendor that protects both servers and desktops. The bad guys are counting on that! A multi-vendor, multi-layered IPS and AV approach is what many networks need.
Are you running data loss prevention (DLP) hardware to detect outbound data loss? Firewalls protect from inbound connections, what measures do you have in place to detect outbound data transfers on all ports (mail, http, https, ftp, and other ports)? If you don’t know what DLP is, find out fast.
Are you encrypting laptop hard drives? TrueCrypt has an excellent, free open source solution. Are you logging all events on a dedicated logging server? Are you encrypting your backups and storing them off-site? Are you deploying virtual machines with security as a focus, not an afterthought?
This is just a partial list. The point is, now is the time to look at your security posture again. The Conficker/ Downadup is just an indicator of how much work remains to be done to secure our information assets.
According the Randy Abrams, at ESET Anti-Virus, the really scary attacks don’t usually make the headlines as they are growing. You may only know long after the data is gone. Just ask the people at Heartland Processing, who just announced the breach of over 100 million transactions. But that incident is for another posting, or for a podcast.