News

Microsoft Battles Worm, Rebuts CERT Claim

Microsoft is still trying to control the Conficker worm, both the bug itself and news about how it's handling it.

• By Jabulani Leffall
• 01/23/2009

On Thursday, Roger Halbheer, chief security adviser for Microsoft's Europe, Middle East and Africa Group, disputed findings in an alert issued by the U.S. Computer Emergency Readiness Team (CERT).

CERT suggested that the Windows AutoRun feature, which could be tapped to run malicious programs in Windows environments, should be disabled. Doing so would limit the spread of bug strains like Conficker. Moreover, CERT described Microsoft's guidelines for disabling AutoRun as ineffective, exacerbating the vulnerability.

Halbheer objected to CERT's claim in his blog post. He pointed to a Knowledgebase article describing how Windows users can disable the AutoRun registry key and prevent incursions from removable media, such as USB flash drives.

Microsoft faces a tall order in getting out the word that a fix exists, while quelling the concerns of users and system administrators. It's a global problem, too.

"Quenching the outbreak is going to be difficult due to the ISPs not wanting to get involved with supervising the traffic of their users," said Phil Lieberman, president of Los Angeles-based Lieberman Software. "Consumers cannot shut down those that are attacking them since they would be legally liable and the government is prohibited from stopping the outbreak because there are no laws that allow it because of offshore control of the botnet."

Lieberman added, "I have to tell you, it's a good day to be a cyber-criminal running a botnet, and an even better day to be an antivirus vendor."

The Conficker worm may be one of the largest botnet bugs ever created. It got its name from a circle of German hackers and security researchers. The name is a combination of "con" and "ficken," the German verb for configure. It's not clear to what degree the Conficker worm is slithering around the world. Reports have suggested that as little as 2.5 million to as many as 10 million PCs have been infected.

Conficker primarily spreads through an unpatched Windows-based network, but it can also be transported from an infected computer via a USB flash drive. It spreads faster over a shared network. If one machine in an organization is infected, the worm can then spread -- even to already patched machines, according to Eric Schultze, chief technology officer of Shavlik Technologies.

"The worm on the infected machine connects to other systems, enumerates their user accounts, and attempts to brute-force guess the passwords for these accounts," he said. "If successful, it then logs on to that machine and copies its worm payload to that machine, where that machine then begins looking for other machines to infect."

A recent Qualys Inc. survey found that more than 50 percent of machines get patched after approximately 30 days. With the end of January approaching, the Conficker worm has already proved its staying power.

The slow patching cycles of many enterprises could be contributing to the spread of the worm, according to Qualys' Chief Technology Officer Wolfgang Kandek. Qualys' scanning data indicates that many machines are not patched yet, more than two months after Microsoft's patch release.

"Overall the IT community is not reacting fast enough," he said. "Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects."

Randy Abrams, director of technical education for ESET, said that most of the infections are coming from the corporate space.

"This means that standard security basics are not being enforced," Abrams said. "Perhaps businesses are not investing in security…. Maybe businesses do not know how to evaluate competent security professionals to put in charge."

Not having the time to patch doesn't cut it, Abrams suggested.

"'We needed time to test' is not an excuse for not having deployed the patch for MS08-067," he explained. "If there is a legitimate reason for not having deployed the patch, then there should be many other layers of defense that should be in place for protection."