News

Microsoft Battles Worm, Rebuts CERT Claim

Microsoft is still trying to control the Conficker worm, both the bug itself and news about how it's handling it.

Microsoft is still trying to control the Conficker worm, both the bug itself and news about how it's handling it. Conficker first surfaced in October of 2008 when Redmond patched a flaw in Windows' remote procedure call requests.

On Thursday, Roger Halbheer, chief security adviser for Microsoft's Europe, Middle East and Africa Group, disputed findings in an alert issued by the U.S. Computer Emergency Readiness Team (CERT).

CERT suggested that the Windows AutoRun feature, which could be tapped to run malicious programs in Windows environments, should be disabled. Doing so would limit the spread of bug strains like Conficker. Moreover, CERT described Microsoft's guidelines for disabling AutoRun as ineffective, exacerbating the vulnerability.

Halbheer objected to CERT's claim in his blog post. He pointed to a Knowledgebase article describing how Windows users can disable the AutoRun registry key and prevent incursions from removable media, such as USB flash drives.

Microsoft faces a tall order in getting out the word that a fix exists, while quelling the concerns of users and system administrators. It's a global problem, too.

"Quenching the outbreak is going to be difficult due to the ISPs not wanting to get involved with supervising the traffic of their users," said Phil Lieberman, president of Los Angeles-based Lieberman Software. "Consumers cannot shut down those that are attacking them since they would be legally liable and the government is prohibited from stopping the outbreak because there are no laws that allow it because of offshore control of the botnet."

Lieberman added, "I have to tell you, it's a good day to be a cyber-criminal running a botnet, and an even better day to be an antivirus vendor."

The Conficker worm may be one of the largest botnet bugs ever created. It got its name from a circle of German hackers and security researchers. The name is a combination of "con" and "ficken," the German verb for configure. It's not clear to what degree the Conficker worm is slithering around the world. Reports have suggested that as little as 2.5 million to as many as 10 million PCs have been infected.

Conficker primarily spreads through an unpatched Windows-based network, but it can also be transported from an infected computer via a USB flash drive. It spreads faster over a shared network. If one machine in an organization is infected, the worm can then spread -- even to already patched machines, according to Eric Schultze, chief technology officer of Shavlik Technologies.

"The worm on the infected machine connects to other systems, enumerates their user accounts, and attempts to brute-force guess the passwords for these accounts," he said. "If successful, it then logs on to that machine and copies its worm payload to that machine, where that machine then begins looking for other machines to infect."

A recent Qualys Inc. survey found that more than 50 percent of machines get patched after approximately 30 days. With the end of January approaching, the Conficker worm has already proved its staying power.

The slow patching cycles of many enterprises could be contributing to the spread of the worm, according to Qualys' Chief Technology Officer Wolfgang Kandek. Qualys' scanning data indicates that many machines are not patched yet, more than two months after Microsoft's patch release.

"Overall the IT community is not reacting fast enough," he said. "Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects."

Randy Abrams, director of technical education for ESET, said that most of the infections are coming from the corporate space.

"This means that standard security basics are not being enforced," Abrams said. "Perhaps businesses are not investing in security…. Maybe businesses do not know how to evaluate competent security professionals to put in charge."

Not having the time to patch doesn't cut it, Abrams suggested.

"'We needed time to test' is not an excuse for not having deployed the patch for MS08-067," he explained. "If there is a legitimate reason for not having deployed the patch, then there should be many other layers of defense that should be in place for protection."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.