Editors note: In part one of this two-part series, Ron Condon discussed how the Conficker worm spread. In this second installment, he will discuss how to stop Conficker from spreading and unveil several anti-Conficker defense strategies, such as Conficker patch management and strong password policies.
While the security vendors and law enforcement sit poised to pounce on any future use of the Conficker network, individuals and companies just need to follow basic anti-Conficker security practice to avoid infection.
- Conficker patch management -- the MS08-067 security update, which Microsoft issued on October 23, 2008 ahead of the first Conficker outbreak, would have blocked all infections if it had been applied immediately. Any new victims are going to be either users of unlicensed software (see sidebar showing the locations of infections), or companies that have failed to apply the patch to every machine in their network.
- Applying strong passwords -- Conficker spreads by trying to brute-force passwords on the network.
- Disabling Autorun to avoid the malware being spread through USB sticks.
- Ensuring disinfection is complete, as one bad machine can reinfect the rest.
The fact that new Conficker infections are continuing to occur is a sign that organisations have become complacent, according to Orla Cox from the Symantec Response Centre in Dublin. "Some companies know they have infections, but they are prepared to live with them, because it's not causing them any real trouble. But it can cause a lot of noise on the network, and become a real nuisance. It's really not good practice to continue with infected machines."
Rodney Joffe agrees: "Organisations are not implementing the defences to stop infection and reinfection -- that's why we're not beating this," he said. "If an organisation gets infected, it's because IT folks are not taking it seriously, or they are not enforcing their rules. They are still allowing people to wander around promiscuously with USB drives and get infected. If companies are still getting infected, names should be taken and heads should roll."
So what can we learn from the Conficker botnet, and what does it tell us about future malware trends?
Most experts agree the best thing to come out of the Conficker outbreak is the rapid response of the industry and the formation of the working group to monitor its development and help track down the culprits. "It was impressive that we could pull together a concerted response from 110 different countries in the course of a few days to focus on a single threat. That had never happened before," Joffe said. "That will form the basis for how we fight the next battle."
But Randy Abrams, director of technical education at antivirus company ESET LLC, had a more cynical view: "Conficker teaches us very little. Those who practice the most basic of security tenets have little problem with Conficker. Those who refuse to learn from history make the same security mistakes over and over again."