How to stop the spread of the W32 Conficker worm

The rapid spread of the Conficker worm -- estimated to have infected 9 million systems already -- calls for a few basic enterprise defenses.

If the first few weeks of the new year are anything to go by, information security isn't getting any easier. Consider some recent events:

  • The Ministry of Defence is still working to remove a virus that affected up to 70 sites, including Royal Navy ships and RAF bases, and which according to some sources, resulted in RAF emails being redirected to Russian Internet servers.
  • Possibly the biggest security breach in history was revealed this week (on the same day as President Obama's inauguration, as it happens). U.S. service company, Heartland Payment Systems, announced that malware had been discovered on its systems, which gave cybercriminals access to credit card information going into the Heartland systems for processing. The company handles 100 million card transactions a month on behalf of around 250,000 small businesses. It is still unclear how long the rogue code had been in place.

Future security threats: Enterprise attacks of 2009

John Strand previews the information security threats that'll be big in 2009.
And recently, the rapid spread of the Conficker worm -- estimated to have infected 9 million systems already -- has exploited a vulnerability in Windows (MS08-067), which allows the malware to copy itself into the Windows system folder as a DLL file and then modify the Registry, so the DLL can run as a service. Once up and running, it creates an HTTP server and can then download files from a hacker's website. Even with the patch in place, the worm can still get in from an infected USB device, experts say, using the Windows AutoRun function.

How to protect yourself from the W32/Conficker worm

  • Patch as soon as you can. Graham Cluley, senior consultant at antivirus company Sophos Inc., said: "Conficker seems to have had less of an impact on home users, mainly because Microsoft has done a good job in doing automatic updates. Companies like to manage their patching, and I think that with people being away over the Christmas holidays, some companies were stretched and took longer to get around to patching."

  • Keep antivirus up to date so that any new variants of the W32/Conficker and other viruses can be picked up.
  • Enforce strong passwords. W32/Conficker operates by breaking weak passwords on systems in order to gain access to system resources. It will also look for file shares and other computers on your network that do not have a good password. Cluley said: "Make sure none of your users are ever using dictionary words. Look for daft combinations and sequences like ABCDEF or 123456, or repeated characters. Otherwise it's just too easy for malware or hackers to try to crack it."
  • Use products that control the enterprise use of USB devices.
  • Disable the AutoRun function in Windows. The Windows patch (KB958644) stops the worm from getting into your computer via the Internet. If the worm, however, is introduced on a USB stick and is able to execute AutoRun, it will be able to infect the machine and from there, the network.

There, however, is reason to be cheerful. Cluley draws comfort from the fact that although Conficker has spread so fast, it has not yet been activated. "I wonder if the people behind it have been scared off," he said. "If they were to use this botnet now for criminal purposes, you can be sure that every computer crime authority in the world would be trying to track them down. If they sent spam that sent people to a website, the authorities would follow the money trail, and would be able to piece together who was responsible for this thing."

Read more on Hackers and cybercrime prevention