Security Fails of 2009 – Conficker Becomes a Media Darling

Today is my third in the series of Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

Conficker made the jump from malware attack to media darling in 2009, finding its way onto the front page and 60 Minutes.  For those of us who work in the general anonymity of IT security, Conficker (aka Downup, Downandup, Conflicker, and Kido) was one of those things that took on a life of its own and rose quickly into the public consciousness.    

To be accurate, Conficker actually surfaced in November of 2008, but its effect really peaked in 2009.  The Conficker Working Group estimates that 9 million to 15 million PCs are infected with the worm.  Costs have been placed at a wide range of numbers with some estimates reaching $9B.  The worm was noteworthy from its use of sophisticated techniques to avoid detection and its ability to morph via commands from a well designed command and control process.  It has been through three iterations, each making it harder to detect and defeat.  It spread rapidly – in May it was reported to be spreading to 50,000 new machines a day – and is widely believed to be the largest worm infection since Slammer in 2003.   

What became almost humorous was the effect it had even when it did not do anything.  When the command and control elements of Conficker would stir, there was rampant speculation as to what it would do.  Conficker appeared to be readying for something big on April 1 and the speculation became somewhat comical as predictions ranged from minor attacks to global Armageddon. Eventually people became to see Conficker in every shadow, with the paranoia coming to a crescendo when Conficker was suspected as the cause when Big Ben stopped just before midnight on March 31.  I wrote then that such blame “makes sense – build a worm, get it distributed to millions of computers worldwide, have it confound the best and brightest of IT security, and then instruct it to stop Big Ben.”

The real lessons of Conficker are many.  First, the worm took advantage of an exploit that Microsoft patched in October of 2008 and many noted that the infection vector was not exceptional, just opportunistic.  The fact that it spread so rapidly and continues to spread illustrates the issues we have in patch management and maintaining the security readiness of endpoint machines.  In spite of all research and recommendations, business and government agencies still take far too long to close well known, dangerous gaps in their security.  Second, the sophistication of the worm, the command and control structure and its evolving nature all are illustrative of the growing sophistication of malicious activity.  Conficker is an attack with the careful engineering of a commercially available application.  Third, the traditional endpoint protections have long been left behind by the growing sophistication of the current attacks.  It took far too long to come up with a viable detection process for Conficker, and even longer to come up with a fix.  Most have to re-image and start over at enormous costs when one considers 9M computers.

Finally, Conficker brought IT security issues to the masses.  Lots of people that never considered the security readiness of their PC began to ask some serious questions.  The size and scope of the infection woke people up to the enormous potential of a mass attack.  And the sophistication was instructive to the public as to how malicious attacks have evolved from the days of the Anna Kournikova virus.   

Conficker is a noteworthy fail because it all started by leveraging a known exploit that savvy malware writers saw as an easy path to a significant infection that will cost the world billions of dollars.  Best of all, Conficker is still out there on a very large number of machines.  Even in its most benign state, the fact remains that someone controls a huge botnet that has the potential to be used for harm.

Light After the Twitter Eclipse

The Day After Twitter went dark has been fun to watch as people scramble to determine the why and who of the attack.  There is a very complete article in ComputerWorld that offers multiple theories.  Richard Stiennon was investigating in real time on the ThreatChaos blog and his updates were fun to follow.   One theory from Elinor Mills of CNET ties this attack back to the responsible party for the Korean DoS attacks in July.  While another theory says that the attack was focused on one pro-Georgian blogger in an attempt to keep him from spreading his thoughts.   The next several days should prove interesting as more really smart people unravel what happened. 

One common theme is the general sense that such an attack was not a particularly hard attack to perform if one had access to a botnet.  Botnets are clearly a widespread issue and while they often pop up as a vehicle for chaos there is not much seemingly being done to prevent them or shut down the existing ones.  For a good primer on how botnets are used in a DoS attack, see Elinor Mill’s post on the subject.

I also found it interesting that on Tuesday the Marines announced that they were banning Twitter, inciting a lot of second guessing on Twitter and the blogosphere.  Two days later the Marines look a little smarter as this attack showed that the Twitter infrastructure is open to compromise.  While I am sensitive that Twitter and Facebook allow our soldiers to communicate with home, I have seen enough evidence to know that these applications also could be used to create problems with our information infrastructure at critical times. 

Yesterday I arrived at our office and began a conversation with one of my colleagues.  Slowly everyone that was in the office filtered in and soon we were all engaged in some very interesting conversations about prospects, customers, our product direction, competitors and the broader market.  It was spontaneous, open, and very refreshing.  I say this because it was a reminder that with all of the ways to communicate –Twitter, Facebook, texting – nothing beats a face-to-face sit down.  I am hoping some folks took the time during the Twitter Eclipse as a time to get re-acquainted with such quaint methods of communication.