On Conficker: The return of the high-profile mass infection worm


Conficker worm

Their back!

It has been awhile since we had a good old fashioned, highly publicised, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here).

Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers.

Verizon Business Services posted a well-thought out response to the hype around Conficker “Risk, Group Think, and the Conficker Worm” (here), in which they stated…

A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes. In one study a large proportion of infected machines were simply discarded because a current user of the machines did not exist. This corroborates data from our DBIR which showed that a significant majority of large impact data breaches also involved “unknown, unknown” network, systems, or data.

Richard Bejlitch used the Verizon posting to drive greater awareness of network security monitoring technologies on his Tao Security blog (here)…

This my friends is the reality for anyone who defends a live network, rather than those who break them, dream up new applications for them, or simply talks about them. If a “very large proportion of systems” that are compromised are beyond the reach of the IT team to even know about them, what can be done? The answer is fairly straightforward: watch the network for them. How can you do that? Use NSM.

I don’t disagree that network security monitoring is an important tool for IT organisations to gain visibility into events that occur in their environments.

My issue with NSM as a response to conficker infections or “unknown / unmanaged systems” is that it can really only be used to monitor activity within an organisations environment – the problem is your network now includes Starbucks, Marriott Hotels, and Virgin American Airlines.