How to stop the spread of the W32 Conficker worm

The rapid spread of the Conficker worm -- estimated to have infected 9 million systems already -- calls for a few basic enterprise defenses.

Ron Condon

If the first few weeks of the new year are anything to go by, information security isn't getting any easier. Consider some recent events:

The Ministry of Defence is still working to remove a virus that affected up to 70 sites, including Royal Navy ships and RAF bases, and which according to some sources, resulted in RAF emails being redirected to Russian Internet servers.

Possibly the biggest security breach in history was revealed this week (on the same day as President Obama's inauguration, as it happens). U.S. service company, Heartland Payment Systems, announced that malware had been discovered on its systems, which gave cybercriminals access to credit card information going into the Heartland systems for processing. The company handles 100 million card transactions a month on behalf of around 250,000 small businesses. It is still unclear how long the rogue code had been in place.

Future security threats: Enterprise attacks of 2009

John Strand previews the information security threats that'll be big in 2009.

And recently, the rapid spread of the Conficker worm -- estimated to have infected 9 million systems already -- has exploited a vulnerability in Windows (MS08-067), which allows the malware to copy itself into the Windows system folder as a DLL file and then modify the Registry, so the DLL can run as a service. Once up and running, it creates an HTTP server and can then download files from a hacker's website. Even with the patch in place, the worm can still get in from an infected USB device, experts say, using the Windows AutoRun function.

How to protect yourself from the W32/Conficker worm

Patch as soon as you can. Graham Cluley, senior consultant at antivirus company Sophos Inc., said: "Conficker seems to have had less of an impact on home users, mainly because Microsoft has done a good job in doing automatic updates. Companies like to manage their patching, and I think that with people being away over the Christmas holidays, some companies were stretched and took longer to get around to patching."

Keep antivirus up to date so that any new variants of the W32/Conficker and other viruses can be picked up.

Enforce strong passwords. W32/Conficker operates by breaking weak passwords on systems in order to gain access to system resources. It will also look for file shares and other computers on your network that do not have a good password. Cluley said: "Make sure none of your users are ever using dictionary words. Look for daft combinations and sequences like ABCDEF or 123456, or repeated characters. Otherwise it's just too easy for malware or hackers to try to crack it."

Use products that control the enterprise use of USB devices.

Disable the AutoRun function in Windows. The Windows patch (KB958644) stops the worm from getting into your computer via the Internet. If the worm, however, is introduced on a USB stick and is able to execute AutoRun, it will be able to infect the machine and from there, the network.

There, however, is reason to be cheerful. Cluley draws comfort from the fact that although Conficker has spread so fast, it has not yet been activated. "I wonder if the people behind it have been scared off," he said. "If they were to use this botnet now for criminal purposes, you can be sure that every computer crime authority in the world would be trying to track them down. If they sent spam that sent people to a website, the authorities would follow the money trail, and would be able to piece together who was responsible for this thing."

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Corporate E-mail Address:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Read more on Hackers and cybercrime prevention

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.