Security Watch

Fool Us Once, Conficker....

Plus, Microsoft in a patching spat; PCI makes new rules; Facebook tricks.

• By Jabulani Leffall
• 03/16/2009

The Conficker saga is far from over. In my last blog post I wrote about how the authors of the now infamous Conficker worm might be trying to get Microsoft to raise the stakes on its $250,000 reward for information leading to the discovery of the worm writers. Now it appears Microsoft might have to. Security experts such as Symantec's Peter Coogan and Don DeBolt, director of threat research at CA, along with pontificators from all over the blogosphere are saying there may be a new variant released on April Fools Day -- a release that would be appropriately mischievous on the part of the hackers and annoying for IT administrators. Security gadflies say that on April 1, a fourth incarnation of the worm -- albeit still in the Conficker C series -- could make contact with 500 URL domains out of a randomized pool of 50,000. The new iteration may even emit countermeasures against malware applications and security bots. Specifically the worm may attempt to disable Windows Automatic Update and stop online access to the Windows Security Center.

In the absence of an end-all, be-all patch from Redmond, independent security vendor Enigma Software Group claims to have a no-cost removal solution for Conficker A and B strains. If effective, it could keep the updated worms from communicating with previously infected workstations.

"We've had an international team of anti-spyware, anti-adware, and anti-virus programmers working round-the-clock to design this fix," said Enigma founder and president, Alvin Estevez in an e-mail. "Microsoft's own fixes were not completely effective but we've been able to find the basic structure of the virus and we're providing the 'fix' to those who've been infected, for free."

No one knows where the leak about April Fools' Day came from, whether its misdirection on the part of the worm's authors or overreaction by security experts hocking products and services, one thing is for sure: this won't be the last we've heard of Conficker.

Microsoft Responds to Patch Controversy
Tyler Reguly, senior security engineer at San Francisco-based nCircle, found some surprises on Patch Tuesday night to accompany his usual bad jokes, music and coffee as he tested the fixes.

It seems that the just-released MS09-008, had a vulnerability that nullifies the new patch for Windows DNS server in the event that a server has already been compromised. When I talked to Reguly last Friday about his discovery and Microsoft's response to him, Redmond had not formally made a statement on the matter. Since then, however the software giant has released a highly technical explanation essentially saying that it didn't want to impair DNS functionality to retro-fit systems that may or may not have been infected. Microsoft even went so far to say that when installing an update, the system "has no way of knowing whether the WPAD entry was configured by an administrator or an attacker."

"This is indeed not a scenario the security update, or any security update released by Microsoft, aims to address," the Microsoft post goes on to say. "Security updates are intended to help protect the system against future exploitation, and don't aim to undo any attack that has taken place in the past."

Like Conficker, debate over DNS security issues will likely linger longer than Microsoft and its technology partners would like it to.

PCI Doles Out More New Rules
At least once a quarter, the Payment Card Industry Council release new framework for data security pros that it believes will be clearer and more comprehensive than each of its predecessors. Well, the time has come again as the PCI has just released a new framework that maps the 12 previously mandated security controls outlined in Payment Card Industry Data Security Standards (PCI DSS). Bob Russo, the council's general manager, said in press release that the goal of the new milestones is to give enterprises a primer on PCI DSS compliance. Among the measures these milestones suggest are purging personally identifiable card-authentication data from systems, thus limiting the continual storage of customer information. Other measures revolve around tests for network and application security, user access control and the protection of the stored data that enterprises do have to retain for the purpose of doing business.

There has been some concern in the past that compliance doesn't necessarily mean security; especially given the recent uptick in data breaches. Still, every little bit of new guidance helps.

Microsoft's Facebook Status Update
Speaking of guidance, security and more worms Microsoft is also stepping up its efforts to curtail trying to stamp out the Koobface worm, which is a botnet that burrows into social networking sites, most notably the popular site Facebook. Koobface tries to trick users into clicking on a link included in a so-called message from a so-called friend. Obviously those messages aren't from "friends." It gets even trickier if the link is to a video, which is often passed along by gawkers on Facebook and other sites. In this case, when a user clicks on the link there will be a fake error message asking the user to update to a newer version of Adobe Flash. If the user is curious enough about the video content, that user could be toast.

Indeed as Internet use increases and cloud computing ramps up, tech ecosystems will be full of worms and bugs and IT security pros will have to navigate a world that is propagating in real time.