Even as some 2 million people (myself included) descended on our nation's capital to party like it was 1999, enterprise network admins were reminded this week that the worm party is not yet over. In the event you've been caught in an inauguration trance, Conficker (aka Downadup, aka Kido) has managed to infect over 9 million computers by some estimates, with the majority of those infections inside corporate networks. While Conficker is highly blended (including backdoor command and control along with agressive propogation), the true intent of the malware's authors, beyond rapid spread, does not yet appear known. However, at least one theory indicates that we'd rather contain and remove this threat before finding out what the authors are really up to.
While we at Mirage take some comfort in the fact that our customer base can detect and contain the Confickr worm with our default out-of-box ruleset, I must admit that I find this latest threat a bit surprising. I, along with many others, have believed for some time that the days of rapid propagation were over, with malware authors opting for stealthy, long-lived botnets over headline-grabbing infection rates. Time will tell, I suppose, where this goes and what the authors have in mind. In the meantime, it's one more reminder that the ability to quarantine must be extended throughout the network access lifecycle, not just at connect time. Traffic filtering as a post-admission strategy is insufficient for inside-inside propagation that leverages MS Networking (not to mention sneaker nets). Infection via USB drives also renders fully patched systems vulnerable. A deep defense is key, and NAC (applied fully throughout the lifecycle) should be the foundation upon which it's built.
A deep defense is important, but a lot of folks are learning about this after the fact. Often, the user population feels a need work around the Lords of IT in order to get work done. This worm's success - especially via the USB route - is as much social engineering as it is programming. That said, its been apparent from the traffic and questions we are getting at downadup.com that a large percentage of downadup "victims" are in fact using unauthorized or pirated Windows installs.
This is a good time to revisit network access. And network security. And the most important link in the network - the user.
Posted by: Phil Barnhart | January 29, 2009 at 10:31 AM