Security Watch

Conficker's Evil Twin

Plus: An un-'Stirling' roll-out; PCI Compliance is better than no compliance; more.

• By Jabulani Leffall
• 04/07/2009

April Fool's Day came and went without incident and it appears as if the Conficker non-event made fools of everyone who played up the hype predicting a wholesale slaughter of infected servers by the nefarious computer worm. That said, Conficker is still out there dormant and now an offshoot has Microsoft paying attention.

Redmond said it found a new exploit that pokes holes in its MS08-067 patch, which up until now was known as the "Conficker bulletin." The new-old worm, as it were, has been active for years and is called Neeris. Also known by the more technical moniker of Win32/Neeris.gen!C., the worm is being called a Conficker copycat because it relies on the same AutoRun and remote call procedure characteristics.

Microsoft says some of Neeris' variants were used to exploit MS06-040, a previous patch from September of 2006 in the same Server Service program as the MS08-067 patch released last October.

The kicker here is that while pundits, security experts and even this blogger were concentrating on Conficker, instances of Neeris appearing on enterprise services spiked between March 31 and April 1.

Security staffers from Redmond said in their Malware Protection Center blog that there is "no evidence that (Neeris) is related to Conficker.D's April 1 domain algorithm activation."

Redmond Reins In 'Stirling' Roll-Out
Microsoft has increasingly been gung ho about security and security products and had been hatching up a large campaign around its 'Stirling' security suite software, which was to be released in the summer. But after customers raised questions about interoperability with third-party applications, Redmond re-trenched and decided to add a "zero-day attack-prevention technology" called Dynamic Signature Service. For these and likely other reasons, the roll-out will occur in late fall, with other bells and whistles not showing up until 2010.

In the post on its Forefront blog, Microsoft said that Dynamic Signature Service, which it is calling a "behavior-based technology," is designed to "help deliver more comprehensive endpoint protection for zero-day attacks." 

Ironically, the decision to fall back and add zero-day bug prevention technology came on the same day late last week as Redmond issued a security advisory about a zero-day exploit in its PowerPoint software for Microsoft Office.

The Myth of PCI Compliance Security
Security Watch has in past posts touched briefly on the Payment Card Industry Council Data Security Standards (PCI DSS) and the headaches it gives IT compliance executives and critics of the regulations. Last week at a congressional hearing on the subject, those critics, both in the public and private sector, voiced their concerns. Chief among the grievances is that PCI security rules do little to stop theft of payment card data or protect enterprise systems.

"I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure," said Rep. Yvette Clark, a democrat representing a district in New York and chairwoman of the House subcommittee that held the hearing.

Those sentiments were echoed at the hearing National Retail Federation's Chief Information Officer David Hogan, who is one of the more vocal opponents of the ruling. His contention is that the IT departments of major retailers and other merchants should not have to store credit card data for unspecified amounts of time at the behest of credit card companies, which actually fund the PCI council and are the sole arbiters of punishment in the event of non-compliance.

At the same time, not having any safe guards in place can present a double-edged sword -- that is, better safe and annoyed than unsafe and sorry.

For small merchants on Windows systems, Microsoft's Point of Sale application can serve as the interface for logging sales data, while the pertinent information should be stored on an off-site SQL Server-based system or farmed out to a third-party for storage and archiving, if not periodic oversight.

But this is only a temporary solution to a long-term issue and the contentious debate rages on.

IT Staffers Lack Confidence in Enterprise Security
Speaking of monitoring, solutions and compliance the results of a survey by third-party security outfit Shavlik Technologies revealed that only 17 percent of more than 435 IT operations and security specialists say they have confidence that their systems conform to corporate policy and, by extension, lead to secure enterprise environment. 

Shavlik, which hocks its own security software and compliance automation programs, said in the survey that enterprises should balance "the need to distribute, maintain and report on mandated configurations, while at the same time mapping those configurations directly to a compliance standards such as CobIT, Sarbanes-Oxley, the aforementioned PCI and other standards.