Posted by John Kindervag on March 23, 2009
We’ve all seen movies where the hero or heroine has just days or hours to live. This genre is always suspenseful. Next Wednesday, IT administrators and security folks all over the world may find themselves living an action movie plot. The highly publicized Conficker worm is set to go off on April 1. I won't belabor the April Fools jokes that have been inevitably bouncing around the Internet. Conficker is not a joke. It is a highly sophisticated piece of malware that has already infected millions of hosts. No one seems to know exactly what will happen on April 1 when Domain Generation Algorithm, or DGA , is activated. It can't be good. At the very least it is going to generate a bunch of traffic and at the worst, well… Here is SRI’s diagram of Conficker C:
Conficker exploits a known Microsoft vulnerability and affects some of the underlying network protocols we use everyday such as RPC and SMB. Last week I had an interesting conversation with Tom Cross, Manager of the IBM-ISS X-Force Advanced Research team, and he pointed out that Conficker was going to illuminate the basic, everyday security tasks, like patching and password management, that are integral to today's enterprise networks. This worm takes advantage of unpatched systems and weak user passwords. Conficker could be the world's biggest penetration test.
Just like our hero, the IT and security staff’s at networks around the world have just a short amount of time to try and save themselves from possible destruction. On April 2 we’ll know if this worm was instructive or not. We will also know which companies took the threat seriously and which companies did not. So what should you do to protect your network from potential damage?
Take steps to discover if you are already infected by Conficker. One piece of evidence that you might have a Conficker problem is an increase in the number of account lockouts you are seeing.
Monitor Active Directory for suspicious activity.
Immediately patch all your vulnerable systems.
Enforce the use strong passwords in your domain.
Do not allow the Internet or partners access to SMB.
Do not allow local, adhoc or peer to peer on your network. This is one of the primary ways Conficker spreads in networks. Instead, centrally managed window file sharing.
Use network and host-base IPS to prevent infection or contain the proliferation of the worm if you do become infected.
Search Forrester's Blogs
Free Mobile Mind Shift Webinar Series
Learn how to win your customers' mobile moments in this three-part series »
Free On-Demand and Live Events
Latest events from Forrester analysts, online and in person. »