Conficker Worm Technical Analysis

Looking for the latest on Conficker/Downandup today, I came across one of the finest technical papers on a virus I've seen in a long time.

The piece, published by SRI International, is an excellent example of the type of analysis that's needed to bring worms like Conficker to a halt.

For those unfamiliar with SRI International, it's an independent, nonprofit research institute that used to be called, "Stanford Research Institute." Their speciality? Conducting client-sponsored research and development.

In short: businesses and governments pay the smart people at SRI to research certain things on their behalf. Nice.

In the case of Conficker, the researchers, Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, performed a deep and thorough technical analysis of Conficker, including:

  • Conficker A
  • Conficker B
  • Conficker C

  • One of their conclusions?

    "...as scan and infect worms go, we have not seen such a dominating infection outbreak since Sasser [6] in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm [4] outbreak of 2007." (emphasis ours)

    Clearly, Conficker is a serious threat to computer security. And it's tough to stop.

     Anyone not running Internet security software is just racing a clock. If not, in my humble opinion, it's not a question of if infection will happen, it's a question of when.

    Why both?

    Conficker is an interesting worm in that it infects via multiple methods. It infects via things like USB drives and via networks. This makes for an unusual and challenging combination.

    If someone gets their PC at home infected, then brings in a USB thumbdrive into the office with their work on it, chances are very, very high that the office network will get infected, too, as soon as they plug the USB drive into their office computer.

    Once the USB drive is inserted, it "autoruns," and in doing so the virus starts trying to propagate instantly throughout the office network via a bug in the Windows RPC (Remote Procedure Call) service running on port 445. Ouch.

    From there, it continues willy-nilly. So back to the original question: why both firewall and antivirus software?

    Good firewall software makes it difficult for things to get in or out of your computer. Each computer has 65,536 TCP ports. RPC runs on port 445. Correctly configured firewall software closes the ports on your computer inbound and outbound and only lets in the communications you authorize.

    Thus, a firewall is your first layer of defense.

    There are cases though, like file and printer sharing, where you have to open up port 445. No port 445, no shared printers. Fine. So you open port 445 and unfortunately, the worm tries to wiggle its way onto your system.

    This is where the anti-virus software comes in. Good antivirus software, with updated signatures, should be able to stop the worm in its tracks and prevent further infections from happening--at least from happening because of your computer.

    The same is true with USB-based infections, too. Let's say someone, perhaps a client, brings a USB drive into your office with documents on it. Unfortunately, the USB thumbdrive has Conficker on it, too.

    In goes the drive into your USB port, and the worm begins trying to wiggle out onto your system and onto the network. As with a network-based Conficker attack, USB-based attacks should be picked up and stopped by your antivirus software, too.

    The key thing of it is having good antivirus software and keeping your signatures updated. Software from 2007 with old signatures isn't going to be of much use.

    Lastly, of great importance in the whole Conficker mess, as the folks as SRI remind us: patching our OSes,

    "Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches."

    So, in summary:

    1. patch your OS (in IE, click Tools, Windows Update)
    2. install a software firewall
    3. run antivirus software
    4. make sure it signatures are updated.


    Microsoft Patch Tuesday: Another Angle

    To the uninitiated, Microsoft has one day monthly, "Patch Tuesday," they call it, where they release bug fixes and patches to their software.

    A recent blog at IT World on Patch Tuesday talks about the once monthly cycle and asks if this is often enough.

    They claim, perhaps accurately, that most IT security pros claim to like the once monthly cycle because it lets them plan better and it lets upper management "manage better." Further, they claim, it actually makes things, "more secure," by making things regular.

    This is total, complete, utter garbage. Garbage on multiple fronts at that. Here's why:

    Just because you as a home user or an IT security pro have updates available by Microsoft (or any other software vendor for that matter) does not mean you have to apply them the same day they're released!

    Let me put it another way...
    If Microsoft were to continually release updates as they were ready for release to the public by their developers (rather than sitting on the patches for the arbitrary "Patch Tuesday,") then individual home users and companies alike could choose when to patch things according to their own schedules and computer security needs.

    If you're a web hosting company with dozens, hundreds, or even thousands of servers under management, you have a very different set of concerns than a home user with three machines, right?

    You also have a different ability to execute tasks, too. Rightly so.

    With that in mind, why not put the power--and the security--in the hands of the customers and let them choose when to patch.

    If a company wants to patch on the second Tuesday of each month, they by all means certainly can; however, if a company--or an individual user--has a particular exploit that is of concern to them, and they need to patch their server(s) today, they by all means certainly can.

    Plan it. Manage it. It's easy.

    But to say that the once monthly cycle makes it easier for IT shops to manage is absurd bordering on delusional. It literally takes management decisions away from the managers and IT pros and shifts the burden of decision making onto Microsoft.

    How does that possibly make sense?

    That's akin to saying it's easier for you as a company (or an individual) to plan paying your bills if your bank only makes your money available to you on the second Tuesday of the month!

    As an individual--and especially as a business--who knows how many times you get paid in a given month (i.e. the developers said the patches were ready), but the bank (i.e. Microsoft) instead sits on the money (i.e. the patches) 'til the second Tuesday.

    For most desktop PCs security at a fairly basic level boils down to: solid firewall software, good antivirus software installed and updated, OS patches applied, and if you're smart other software patched, too. Maybe you throw in anti-spyware, too, to be on the safe side. Fine. (If you're really smart, don't run as Administrator, either.)

    But at least let home and business users make the decision themselves about their respective security... I'll schedule my own bill payments, thanks.


    Conficker Worm Reward Offered by Microsoft

    Our blog has been quiet for a few days as we work on putting together some new guides to securing your computer and some other resources to help our visitors secure their PCs--and keep them that way.

    We hope to have that wrapped up in a couple of days here, but meanwhile, more news from the Conficker /Downandup front.

    Microsoft announced in a press release today they're putting up a tidy reward of $250,000 (US) for info to bring the miscreant[s] to justice. In their press release about the Conficker reward Microsoft disclosed that they're working with ICANN (Internet Corporation for Assigned Names and Numbers) and "operators within the Domain Name System" to disable sites that are targeted by Conficker.

    "To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker."

    While it's hard to discern from the lawyerese press release exactly what they're doing, there definitely appears to be a concerted effort to stem the tide of this worm. Among the groups involved are:

  • NeuStar
  • VeriSign
  • Afilias
  • Public Internet Registry
  • Global Domains International Inc.
  • M1D Global
  • AOL
  • Symantec
  • F-Secure
  • ISC
  • researchers from Georgia Tech
  • The Shadowserver Foundation
  • Arbor Networks
  • Support Intelligence

  • Notable on the list to us were the Georgia tech researchers as well as anti-virus software makers Symantec and F-Secure. We salute the private sector and education researchers for working together on this.

    Too bad it takes a worm outbreak to make such an effort happen.

    On February 6, 2009, more information was made available by Microsoft about Protecting Windows from Conficker. We encourage our readers to have a look.


    Antivirus protection the old-fashioned way...

    As most everyone would agree, in this day and age, anti-virus software of some kind is a necessity on your PC. In-the-know PC security experts would even go so far as to say a firewall is necessary, too.

    But what most never bother to talk about is other preventative measures--free ones at that--that you can take to make (and keep) your PC significantly more secure.

    What most consumers--and even some businesses, too--don't know about Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 is that you can setup different accounts with different levels of permission on the computer.

    What's the big deal with this?

    Here's the scoop: there are two basic levels of permissions in Windows: Administrator and User. Practically speaking, all accounts in Windows are one of the two. Here's where things go off the rails...

    Microsoft, in their infinite wisdom, makes all default user accounts Administrator accounts. This means the user account you originally setup your Windows XP with is an Administrator. Administrator accounts can do virtually anything to the computer.

    Administrators can install files. Administrators can kill processes or running programs. Administrators can change the priority of some tasks to make them get more of your machine's horsepower or less.

    That doesn't sound so bad, but here's where the plot thickens. Administrator accounts can even hide processes and other things on the machine, and as we already know, Administrators can install programs.

    What does that have to do with viruses? Well, what is a virus really other than a program with malicious intent?

    Thus, this means many viruses, since they're nothing but evil programs, acutally rely on your account being an Administrator for them to even function!

    So, long story short: since Administrator accounts are needed (in many cases) to have the permission to install the virus, trojan, worm, spyware/adware, or other malware in the first place, what would happen if you weren't an Administrator?

    Elementary, my dear Watson.

    You make it harder for your computer to get infected in the first place. Much harder in fact. There's a really interesting piece over at Computerworld about the benefits of removing administrator rights and running as a regular user. One company, BeyondTrust Corp, is quoted in the article as saying,

    "When BeyondTrust looked at the vulnerabilities patched for Microsoft's browser, Internet Explorer (IE), and its application suite, Office, it found that 89% of the former and 94% of the latter could have been stymied by denying users administrative privileges."

    Wait a second here... you mean to say something like 90% of the vulnerabilities could have been mitigated just by using the right user account on my computer?


    Couple that with Internet security software, and you've got a really solid level of protection against most viruses and most other computer security threats.

    OK, now that we understand there's something else you can do to prevent viruses from getting onto your computer, the question is: how do you make an ordinary User account that doesn't have Administrator rights and how do I use it?

    The single most important thing to remember is this: you must keep at least one Administrator account on your computer, so DO NOT delete the one you're using now.

    Secondly, if you're going to try this, bear in mind that things can go wrong--horribly wrong in some cases--when you try to deal with accounts and permissions issues. If it breaks, you're on your own.

    Here are Microsoft's instructions on how to create & configure user accounts in Windows XP.

    Once you have your new account made, you may need to grant permissions to that new account to run the various programs you intend to run.

    To do this, you'll need to either log out and back in as the Administrator, grant permissions then log out as Administrator and back in as your new User account -OR- familiarize yourself with Microsoft's "RUN AS" command, which temporarily grants your current user account the ability to do a certain task as Administrator without the pain of logging out and back in.

    Now that you've gotten that far, start using the regular "User" account to perform your ordinary day-to-day tasks. After a couple of days of use, you will have probably encountered just about all of the little permissions snags where you need to grant permission to such-and-such software for your new User account to function.

    Then, when you purchase new software and need to install it, just log in temporarily as your Administrator account, install the software, and grant your new User account permission. Then when you log in as that User, you'll have the benefits of both your new software and significantly increased computer security over and above your antivirus software.


    Security patches in Firefox 3.0.6, upgrade urged

    Well my dear computing friends, there's a new release of Firefox out: 3.0.6.

    This release of Firefox brings a number of security fixes of different levels of priority, four of which are 'moderate', 'high', or 'critical' in nature.

    For those of you that are new readers to our blog, we recommend Firefox over Internet Explorer, but as with quite literally any software you run, there is a chance of security issues.

    When it comes to your web browser, these security risks are multiplied many times over since it is the web browser that most of us use for most of our interaction with the net (the second most being our email client: Outlook, Thunderbird Eudora, or similar.)

    When it comes to your web surfing, choosing a browser like Firefox and an email client like Thunderbird can mean a significantly improved, safer web browsing experience.

    Combine that with an Internet security suite, and you've got a winning combination for complete computer security

    If you haven't yet had chance to Download Firefox, 3.0.6 is a good release. At very least have a look at that link and our rationale behind why we (and many others) choose Firefox over Internet Explorer. For those so inclined, here's a complete list of Firefox 3.0.6 security patches along with the Firefox 3.0.0 release notes.