Monday, January 26, 2009

The Conficker Virus

In recent weeks, a worm called Conficker has infected 9 million Microsoft Windows desktops and servers throughout the world via a Windows security flaw identified in October 2008.

The BIDMC Security team has provided me with several briefings that I'd like to share with you.

Day 1
We are still looking at how to identify the infection from network based activity. Our managed workstations are not at risk as they have the Windows MS08-067 patch applied. This is of course assuming that the MS08-067 vulnerability is the only vector.

The larger risk is the introduction by a non-patched, non-managed workstation that then passes this on to other systems on the network that are vulnerable.

This is a very well written and nasty virus. It has an extensive list of dynamic DNS entries to phone home to - the list is ever changing. The list for last week was over 1000 entries long. I have not seen the new list for this week.

My biggest fear are the medical devices. Vendors often claim that FDA 510k approval does not allow application of operating system patches. This makes the ability to detect this via network behavior very critical.

Day 2
We have kicked off a type of scan that will identify all our systems that are susceptible to the Conficker attack ie systems that do not have the MS08-067 patch applied.

The risk an infected system posses is still an unknown as it still is unclear what the intent of the virus is.

Day 3
The approach we are taking is:

1. Looking back 4 weeks into the web content filters to see if any systems that we monitor had accessed any of the suspect 1000 urls. The results of that are that there were no hits as of the late Friday night. We have set a job up that will run at midnight and examine the prior 24 hours of web activity for any hits.

2. We are running a scan process that looking at all systems that are online. This scan is a non-invasive scan that can conclusively determine if the system is missing the Microsoft patch that closes the vulnerability.

3. We have also found some information on how to examine a systems registry and identify systems that might be infected. This will work only managed systems. This is important due to the nature of the virus. The virus can infect via a usb key. Once on the system it shuts down the Anti-virus on the system as well as a wide range of anti-spyware programs.

4. We alerted the help desk to be on the look out for a rise in user complaints about their anti-virus not working correctly. The latest on the virus also indicates that it then attempts dictionary type attacks to break into the accounts it finds on the systems. This would show up as a rise in user password resets or account unlocks.

Desktops and servers need to be monitored since one of the targets of the virus is file servers located via mapped drives.

We are members of HTCIA and InfraGard. These organizations, particularly InfraGard, provide information that is often not immediately available to the general public. We are keeping an eye out for any early additional information regarding the viruses behaviour. IfraGard is a tasked with protection of the national infrastructure from both physical and cyber threat - this virus has gotten their full attention.

Day 4
We now have a copy of the Conficker code. It is VMWare aware and shuts itself down and hides when it detects that it is running under VM. This is new tactic of the better written viruses and trojans - it means you can not load it up onto a Virtual Desktop to examine it's behavior making it slower to generate AV signatures.

It also has built in code to detect that the Windows debugger has been invoked to examine it. If it detects the debugger it again shuts itself down and "hides" to disable the ability to use the debugger to examine its behavior.

There has been some press about the believe that the payload of the code may be flawed and that only the delivery mechanism is well written. That may be the case but assuming that position is very risky. There are already growing variants of the code. I think we have not seen the true purpose of the virus yet. This has a IRCbot component to it, it is pulling content and instructions from command and control sites. We can only hope that the ultimate purpose and payload are flawed as this still spreading rapidly.

Clearly, this is a very nasty virus and we are on the highest alert since the SQL Slammer Worm in 2003. All CIOs should ensure their security staff are briefed on this new worm and are proactively defending against it.


Anonymous said...

Thanks for the completeness of describing your methods of detection. That is helpful in formulating a plan to identify and deal with this threat.

Anonymous said...

Thanks for the post, John. Someone I enjoy reading is Bruce Scneier on security. One of his insights applies here: spread the risk. Something that helps keep our identities safe is the multiple sources of verification we possess: credit cards, drivers license, library card, University ID, etc. Security comes from that diversity. The same is true in computing. Being Microsoft-centric is a real risk. The corporate reliance on a single OS for servers, applications, and data storage is a real source of problems. Multiple platforms strengthens the environment. It does introduce other issues, to be sure, such as interoperability. That is a much better problem to solve.

Unknown said...

John...very interesting post. I am actually a security specialist from VMware and was glad to see you were using Workstation as a sandbox for the worm, but the fact that the worm was VMware aware which caused it to go dormant in a virtual environment. This is definitely becoming an problem for researchers who want to use a virtual environment as a honeypot or sandbox for researching malware. More and more malware is checking whether it is following these techniques to avoid detection. In an odd way though this can almost be an advantage to running your OS and apps in a virtual machine because these "virtualization aware" strains of malware will not run in those machines.

With the upcoming work we are doing with the security community on the VMsafe initiative we can really start to claim a higher level of security running in a virtual machine. Of course this all depends on how you architect and configure the system, because even the most secure system in the world can have a hole if it is not configured properly.

Anyway, good stuff and I look forward to following your blog into the future.

mdceo said...

It is shocking,

Conficker contains a password-cracking program that can break simple passwords, for example: 1234, supervisor, owner, etc - along with simple numeric passwords and birthdays.

Passwords are classified as weak, moderate, or strong - depending on how easy they are to crack.

An ideal password, which would be very hard to break, should contain a combination of uppercase and lowercase letters, numbers, and symbols, and should be a minimum of six characters long.

The catch is that remembering a password like that could be tricky and security experts advise against keeping a written copy of your passwords, in case of theft.

Anonymous said...



Football Matches said...

Passwords are classified as weak, moderate, or strong - depending on how easy they are to crack.

An ideal password, which would be very hard to break, should contain a combination of uppercase and lowercase letters, numbers, and symbols, and should be a minimum of six characters long.

Recep Deniz MD