News

IT 'Negligent' in Patching Worm Hole, Halbheer Says

• By Jabulani Leffall
• 03/05/2009

The worm has plagued Microsoft Windows systems, and Redmond has been issuing warnings ever since the exploit first surfaced in October.

This week, the frustration and fatigue began to show as Halbheer, chief security adviser for Microsoft's Europe, Middle East and Africa Group, lashed out about IT's responsibilities in dealing with the worm.

Halbheer suggested in his blog on Wednesday that Conficker is an issue for the whole IT ecosystem. Moreover, the malware would have been squelched if IT shops had practiced better patch management, or migrated to newer Windows OS versions, he contended.

"We are coming back to my Russian Roulette post back in January," he wrote. "If you decide not to patch or leave it to the admin to decide, in my opinion this is negligent. And now, please, do not tell me that this is a Microsoft-only problem."

When all is said and done, the Conficker worm may prove to be one of the largest and most pervasive botnet bugs ever created. The worm primarily spreads through an unpatched Windows-based network, but it can also be transported from an infected computer via a USB flash drive or other removable hardware devices.

Conficker spreads faster over a shared network. If one machine in an organization is infected, the worm can then spread -- even to already patched machines.

Reacting to Halbheer's defiant post, two security gadflies essentially agreed that IT shops have not reacted quickly enough to the malware attack. Phil Lieberman and Eric Schultze -- who've worked for Microsoft in the past -- said that better enterprise IT management could have prevented Conficker's quick spread. However, neither would completely absolve Microsoft's role.

Moreover, both believe -- as Halbheer pointed out in his blog -- that third-party antivirus software vendors were poorly prepared.

Lieberman, who is founder and president of Los Angeles-based Lieberman Software, faced the wrath of the worm first hand. One of his home machines running Windows XP with Windows Update got infected by Conficker.

"But it did not spread beyond the machine that was infected because we have reasonable passwords on our home machines," he recalled. "For the bad part, we did have Panda antivirus on the machine and it had zero effect and it could not remove the bug."

So what did Lieberman learn in trying to wipe the exploit off his system?

"First, I came to the conclusion that the security group at Microsoft failed miserably to explain exactly and completely how [Conficker] works in terms of what files it modified, how it inserts itself, and most important: how to remove it," Lieberman said. "Their lame answer: use the Microsoft tool to remove and that's great except the virus blocks the Web site."

He added that he eventually loaded the Microsoft software (everything including Defender and One-Care) but there were no discernable positive results.

"For over 12 hours I fought with the virus bug to manually remove it using antivirus and malicious software removal programs with no effect," Lieberman said. "I eventually manually killed it, but my machine was brain damaged so that Internet Explorer could not access Microsoft Update or any other antivirus or support site."

Redmond's cardinal sin, if anything, said Lieberman, is that "Microsoft failed to provide significant information on how to kill the virus manually. It's like, 'Thank you for the user-friendly instructions that were technically useless.'"

Eric Schultze, chief technology officer of Shavlik Technologies of St. Paul, Minn., is usually a fan of Microsoft, lauding the software giant's accomplishments in security and responsiveness to problems. In general, Schultze said that he agrees with Halbheer, whom he refers to as "Roger," that patch management and password controls are everybody's problem. Nevertheless, he scoffs at the notion that every enterprise should be running the "latest and greatest" Windows operating systems.

"Roger seems to not like folks who are running unsupported operating systems, like Windows NT4," Schultze said. "Unfortunately, sometimes the business needs to run older OSes. My beef isn't with those that run older OSes. It's with the way that Microsoft words their security bulletins."

Schultze also surmises that at times Halbheer is simply venting and tends to "stray on this topic," making the argument that Microsoft does have problems but not as severe as other software vendors.

"Microsoft does a better job in their security response process than many other vendors -- no need to fling mud at those that aren't as responsive," Schultze said. "Overall, it sounds as if Roger has had a difficult couple of months."

Microsoft is currently collaborating with other industry organizations, such as AOL, Verisign and Symantec, to form a group to stop the self-replicating worm. Redmond has offered a $250,000 reward for information leading to the whereabouts and ultimate apprehension of the worm's author.