What would you do if you knew your network only had a week to live?

Crank-defib 
 

We’ve all seen movies where the hero or heroine has just days or hours to live.  This genre is always suspenseful.  Next Wednesday, IT administrators and security folks all over the world may find themselves living an action movie plot.  The highly publicized Conficker worm is set to go off on April 1.  I won't belabor the April Fools jokes that have been inevitably bouncing around the Internet.  Conficker is not a joke.  It is a highly sophisticated piece of malware that has already infected millions of hosts.  No one seems to know exactly what will happen on April 1 when Domain Generation Algorithm, or DGA , is activated.  It can't be good.  At the very least it is going to generate a bunch of traffic and at the worst, well… Here is SRI’s diagram of Conficker C:

Functional-thread-overview

Conficker exploits a known Microsoft vulnerability and affects some of the underlying network protocols we use everyday such as RPC and SMB.  Last week I had an interesting conversation with Tom Cross, Manager of the IBM-ISS X-Force Advanced Research team, and he pointed out that Conficker was going to illuminate the basic, everyday security tasks, like patching and password management, that are integral to today's enterprise networks.  This worm takes advantage of unpatched systems and weak user passwords.  Conficker could be the world's biggest penetration test.

Just like our hero, the IT and security staff’s at networks around the world have just a short amount of time to try and save themselves from possible destruction.  On April 2 we’ll know if this worm was instructive or not.  We will also know which companies took the threat seriously and which companies did not.  So what should you do to protect your network from potential damage?

  • Take steps to discover if you are already infected by Conficker.  One piece of evidence that you might have a Conficker problem is an increase in the number of account lockouts you are seeing.
  • Monitor Active Directory for suspicious activity.
  • Immediately patch all your vulnerable systems.
  • Enforce the use strong passwords in your domain.
  • Do not allow the Internet or partners access to SMB.  
  • Do not allow local, adhoc or peer to peer on your network.  This is one of the primary ways Conficker spreads in networks.  Instead, centrally managed window file sharing. 
  • Use network and host-base IPS to prevent infection or contain the proliferation of the worm if you do become infected.

Nearly 20 years to the day of the release of the infamous Morris worm, Conficker is poised to eclipse all its predecessors and take the title of world's greatest malware.  Are you ready?

Categories: