Proactive IT Security
 

"We told you so" - hindsight is usually correct

2009-01-16 [Malware discussion, Social engineering, Spreading mechanisms]

Introduction

The need to apply security patches to operating systems and applications has been discussed several times in our security articles. The latest piece on this topic, Security patches - an additional security issue, was written as late as at the end of October 2008.

However, recent events show that this is a mission that cannot be abandoned.

23 October 2008 Microsoft issued one of its rare, unscheduled updates for a security issue in Windows' Server Service.

Malware that exploited this vulnerability was discovered some time later. Recently several hundred variants of one malware family of worms, known as Conficker (some security vendors call it Downadup) have been published to the Internet community. Several hundred thousand computers seem to be infected. This makes the Conficker family one of the worst single threats to computer users that have been seen in several years.

In this security article, we shall not discuss/analyze Conficker itself. Nevertheless we will use some of the techniques that Conficker deploys, as a kind of case study to examine how one could have protected oneself against this threat.

Conficker as a case study for protection techniques

Vulnerability exploitation

As mentioned in the introduction above, Conficker exploits the vulnerability in Remote Procedure Call (RPC) handling in the Server Service to compromise non-patched computers. This is done by issuing commands (specially crafted http packets) from the compromised computer to connect to a vulnerable computer. The infection process then proceeds by downloading and running the worm as described below.

Computers that had deployed the patch from October 2008 are not vulnerable to this exploit.

It seems risky for any organization to use a patching regime that does not apply patches within more than two months after a patch was released. It may therefore be fair to conclude that organizations that were infected because the computers were vulnerable, should review and improve their patching regime.

Single user computers should set up Windows Update to download (and install) operating system patches as soon as they are available. Only those which were not configured to automatically download and install patches were vulnerable for the RPC exploit used by Conficker.

  • Recommendation 1: Update your computer(s) as soon as possible after a patch for a vulnerability is available from the software vender. Either by setting up Windows Update to download and install updates automatically, or at least manually visiting Windows Update on the web regurlarly.

Running a web server

The worm sets up an http (web) server on compromised computers, so that other computers that are compromised by the exploit mentioned above, connect to the compromised one and download the worm.

  • Recommendation 2: Restrict access to computers by protocols that are not needed. Rules in the corporate firewall should of be set up to accomplish this. On each and every computer this may be achieved by setting up local firewall rules.

Connection to ADMIN$ shares

Conficker also attempts to spread itself by connecting to available ADMIN$ shares. It has a list of passwords it uses to be able to log on to the shares. If successful, it will copy itself to the share(s) and set up scheduled task to run daily.

  • Recommendation 3: Disable ADMIN$ shares on computers. As some application may depend on the ADMIN$, this must be handled with caution.
  • Recommendation 4: Force a regime with strong password onto the users in the organization.

Malware downloads updates to itself

The worm also has the ability to update itself by connecting to certain web sites and download new functionality/updates.

  • Recommendation 5: Restrict access in the firewall (corporate or personal) to only web sites that are approved.

Propagation by USB sticks

Another means of propagation used by Conficker is by infected USB sticks. The spreading mechanism that is deployed by using such devices are discussed in our security article in the middle of November 2008 - Ghosts from the past resurface through USB sticks.

  • Recommendation 6: Forbid the use of USB sticks in the organization.
  • Recommendation 7: Restrict the use of USB sticks in the organization to only pre-defined sticks.
  • Recommendation 8: Disable Windows' autorun mechanism for USB sticks.

Peer-to-peer communication

Some analysis also indicate that the worm may use peer-to-peer mechanisms to communicate with other infected computers. An infected computer may thus be able to participate in a network of robots (botnet).

  • Recommendation 9 (same as 2): Restrict access only to allow the protocols that are needed. This can be accomplished both on the corporate firewall level as well as on each and every computer.

Other techniques used by Conficker

Conficker uses a series of other techniques to obscure its presence, disable connection to security sites (including Norman's) from infected computers, runs each time the computer start, etc. These however, are not relevant for the discussion in this security article. We refer to Norman's virus description for further information.

Other recommendations that may prevent similar malware to infect your network

Virtual LAN (VLAN) can be used to create “virtual” segments in a physical network. Advantages in a scenario as decribed in this article are that computers in one VLAN cannot communicate with computers in another VLAN. This will effectively block the propagation of a network worm from one virtual segment to another, even if the computers are on the same physical segment.

Conclusion

As we have seen in this article, there are numerous steps that organizations and individuals can take to protect themselves against some of the techniques that malicious software uses to propagate.

Some of the recommendations mentioned above are cumbersome to implement in larger organizations, some cannot be implemented as this would result in disruption of necessary services, others are in conflict with each other (e.g. No 6 and 7).

The morale is though, that anyone should evaluate his/her/its needs and adapt the security policy to this. An active approach to security is needed in order to avoid being compromised by the next variant of the Conficker worm, or - perhaps even more likely - the next type of worm that for sure is in the making out there.