Conficker/Downadup Worm: How Prepared are you?

Recently we have had some firsthand experience helping clients deal with the Downadup/Conficker worm that has been causing mass infections. For more details on the worm, check out some background at CA and F-Secure. Considering the way this worm propagates, it’s safe to say that many organizations are going to be impacted, some severely. F-Secure (amid some controversy) extrapolates and postulates that the worm has around 9 million infections as of Jan 16 2009. On Jan 23 F-Secure saw over 1 million unique sink-holed connections, up 287% from the previous Friday.

So why is this worm affecting organizations more than any other?

The simplest answer is the worm’s aggressive propagation through the use of multiple attack vectors – USB devices (removable disks etc), Microsoft Networking, and a vulnerability found on unpatched systems. Even organizations that have good patch management but lax anti-virus can feel the effects of this worm. An organization truly needs to have a defense-in-depth approach to security and good control of network/configuration management to ensure the worm’s effects are minimized.

The worm is also not very interested in being quiet about its attack. Connecting to other systems via Microsoft Networking it attempts to gain administrator access through brute-forcing credentials. Nothing screams “look at me” more than locking out the accounts of thousands of Active Directory users for several days. I often wonder whether the worm would have garnered this much attention within organizations if it did not impact business so much. The most visible symptom on a corporate network, is of course, the account lockouts that occur – but the underlying security issues it illuminates is even more telling.

When thinking about the worm’s most effective propagation vector, let’s consider the following. If we assume that “users are users” and it is hard to stop them using external USB storage devices, then the fastest the worm should spread in a well patched and relatively hardened environment is the speed people share USB devices – maybe ten or twenty infected systems each week or so. Given the actual rate of spread within organizations, typically 100% infection within a couple of days, it means the other two attack vectors are EXTREMELY effective. This then signifies an organization’s weak posture in patching and/or password complexity. Organizations that are severely impacted with the worm should really consider cleaning up the current infection and then investigate strategies that could make their network more resilient to future attacks. It takes time to remove the infestation and bring the systems up to current specification, and it takes time and money to redesign the network, processes, controls, and to obtain the technology to ensure the problem doesn’t happen again.

In the short-term, the triage process really leverages the use of patching and anti-virus systems to do the legwork and stop the bleeding. Once the worm or virus is on the system, an anti-virus tool is going to be the most effective method of cleaning up the system effectively. Make sure ALL anti-virus signature servers are working, up to date on signatures, and disinfected themselves. Although this seems obvious to many readers, our experience has shown that this is still a major short fall for the small to medium size businesses. Once any AV issues are fixed, then patch and disinfect any system characterized as a “server” and any systems that use/have Domain Administrators using them. Use group policy to push out (well-tested) remediation scripts globally so that client systems can be updated for both Operating System patches and anti-virus signatures. US-CERT published an article that explains how to thoroughly disable AutoRun/AutoPlay. It is important to completely disable AutoRun/AutoPlay as this is one of the main ways the virus may end up in an organization in the first place. The organization can also use the Active Directory logs to determine infected systems by looking at what systems are locking out the accounts. Just a few infected systems can generate huge numbers of account lockouts.

It’s easy to focus on the cleanup process but it is also important to remember that the worm has an ulterior motive; to initiate a command and control connection to an unknown entity on the Internet. An organization needs to ensure extremely strict outbound (egress) filtering is in place so that the worm cannot initiate these connections. Companies should implement an authenticated proxy solution to allow users to access the Internet. Not many (if any) viruses or worms are advanced enough to take advantage of custom user proxy settings. If this does become popular, a content-filtering program should help restrict outbound connections to only “known good” sites.

Once an organization has cleaned up the infestation, it should do a post-mortem analysis and see what controls, changes, and processes can be implemented or upgraded to ensure this type of event does not happen in the future. Clear Skies recommends that organizations focus on proactive planning and strategies regarding Network and Security Architecture, Configuration Control, Anti-Virus program, System Hardening and Standard Builds, and Emergency Response Planning.

Even if you have not been impacted by the downadup/conficker worm this time around, you should assess how you would deal with a threat such as this within your organization in the future. If you were affected by the worm, you should reflect on how you dealt with this threat and how you might be prepared to handle the next. As vulnerabilities emerge, systems need to stay abreast of security updates and patches. Imagine if a worm is released in the coming months that exploits a recently released vulnerability, like MS09-001. Are you patched and prepared to handle that?