Security Watch

Always On Our Minds

Yes, Conficker manages to remain in minds of IT security. Plus: tweeting birds get the worm and why security standards equal a bad idea.

• By Jabulani Leffall
• 04/14/2009

As Microsoft prepares itself for its largest patch rollout in six months, news of worms and bugs and even widespread hacks and the laws that may fight them still persist. Oddly enough, October 2008, which is the last time there was a significant release of security bulletins from Redmond is the same month that the Conficker patch MS08-067 first surfaced. As IT pros prepare for April's patch slate, we've gone from the Conficker A variant all the way to Conficker E, which was reported as recently as April 9.

The Evolving Worm
The resurgence of Conficker hype picked up again began late last week when The U.S. Computer Emergency Readiness Team issued a warning that researchers had discovered a new variant of the Conficker worm that updates earlier infections via its peer-to-peer network. Naturally, the chatter continued in the private sector as well about the lingering risks associated with the worm. Scans of more than 300,000 Windows PCs owned by customers of security outfit Qualys, Inc. show that patching of the MS08-067 vulnerability -- a bug that Microsoft fixed with an emergency update issued in October 2008 -- picked up dramatically two weeks ago.

But Qualys' scans also revealed that about five percent of PCs scanned were actually infected with one of now five Conficker variants. This is seemingly a low number when it comes to the amount of PCs scanned but considering that millions are estimated to be infected, concerns over the worm are far from over.

"This weekend we found an interesting pattern when we polled our system-wide QualysGuard statistics around the Conficker vulnerabilities," said Wolfgang Kandek, chief technology officer of Qualys, Inc. "Since early February MS08-067, the critical Windows vulnerability that Conficker initially used to infect machines, has been oscillating between the 20 percent and 40 percent mark, but in general hovering around the 35 percent barrier. "

There is other news out of Russia, via Kaspersky Lab, a Moscow-based antivirus firm, that a Conficker-related botnet could simply flood the Web with spam rather than trying to initiate an incursion into a system or group of previously infected networks.

"In just 12 hours, one bot alone sent out 42,298 spam messages," said Kaspersky researcher Alex Gostev in a research note last week. "A simple calculation shows that one bot sends out around 80,000 e-mails in 24 hours. Assuming that there are 5 million infected machines out there, the [Conficker] botnet could send out about 400 billion spam messages over a 24-hour period."

Kaspersky said to be on the lookout of the usual spam suspects, which includes male enhancement ads.

Meanwhile, in an effort to better manage the spread of the worm and the worm-like fervor of warnings and bad news about the historic botnet, Redmond is instructing inquiring minds to visit several sites such as its Conficker landing page, which is said to give up-to-date info on new variants.

Tweet Goes the Worm
If it tweets like a tweeter on Twitter, it may not be just a bad attempt at an alliterative pun but also an infectious worm wreaking havoc within the confines of the popular mini-blog portal twitter.com. After yet another worm attack early Monday -- the fourth in as many days since Good Friday -- administrators and company management for the site found themselves rifling through infected accounts. The staff is still trying to ferret out renegade tweet entries and then, in characteristic fashion, tweet about what's going wrong in real time.

"We are still reviewing all the details, cleaning up, and we remain on alert. Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future. We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered," said Biz Stone, cofounder of the social networking phenomenon in this blog post.

No word yet on whether this is Conficker or another worm.

A Bill of Goods
Proposed legislation, in this stage known as Cybersecurity Act of 2009, was introduced last week by U.S. Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). Among other things, the bill would empower the National Institute of Standards and Technology to develop what it has called "measurable and auditable" security standards for government entities, as well as companies in critical infrasturcutre industries. One such industry is energy in general and electric power grids in particular.

Phil Lieberman, president of Lieberman Software and a vocal critic of government efforts to put forth a far-reaching and comprehensive IT security standard, points to the recent hacks of power grids as endemic of a larger problem.

"The cause of the weaknesses come down to these facts," he explained. "One, that the electrical grid is now interwoven with the public Internet. Two that the public grid interfaces between the public Internet and the control grid have protections, but they are and will never be perfect. And three, that users within the control grid infrastructure network use these systems to receive e-mail and surf the Web, allowing them to be infected and taken over by hackers; thereby giving external entities access to the grid management."

The larger issue is whether the public sector needs to collaborate with the private sector on these issues, or if IT security should be completely under the purview of Homeland Security and National Security Agency type entities as a threat to the well-being of the country. Stay tuned.