Kaspersky Lab researchers found a small number of unique IP addresses on the peer-to-peer network, suggesting the worm isn’t as large as previously thought.
It seems that Conficker/Downadup isn’t all that it was cracked up to be. Dennis Fisher of Kaspersky Lab’s Threatpost.com confirms what some have been suspecting all along: The Conficker botnet is much smaller than security researchers originally believed. An analysis by Kaspersky Lab researchers found “200,652 unique IP addresses on the P2P network, which comprises machines that are infected with the latest variant of Conficker,” according to Fisher’s post.
In a blog post, Kaspersky Lab virus analyst Georg Wicherski wrote that “only a fraction of the nodes infected with earlier variants have been updated with new variants.” Wicherski used a custom application to monitor the network. He noted in his post that Brazil and Chile stand out in terms of having the most numbers of P2P nodes.
Back in January I wrote about my access to TippingPoint’s ThreatLinQ service. ThreatLinQ can be accessed by TippingPoint IPS customers. The ThreatLinQ data I saw suggested to me the threat wasn’t a major one. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.
The time period I had a view of the global Conficker data was Jan. 26/27. This was a time period when most security researchers said Conficker infections had peaked and some, including researchers at F-Secure, noted the botnet could be as large as 10 million machines.
At the time, the TippingPoint IPS honeypots found ranked attempts to attack the Microsoft RPC vulnerability at No. 5 of all threat’s globally. It wasn’t even close. Attempted attacks were in the hundreds of thousands versus the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots.
I noted that Brazil, Chile and some countries in Asia and Eastern Europe seemed to have the most Conficker infections. They were in countries where software pirating is rampant and machines are not likely to get the MS08-067 RPC patch.
Conficker may have been a worm that fascinated researchers because it spread so quickly, but once the spotlight was shined on it, it sputtered out. Why? The Conficker Working Group appeared to have a good handle on this one and perhaps their efforts to disrupt the worm from receiving its orders worked. Researchers told me the P2P method of receiving its orders is just too slow for Conficker to be a major threat.
A worm attack designed by a 17-year-old hoping to promote a rival social network wreaked havoc on Twitter, but also highlighted the importance of finding and repairing Web application flaws.
A 17-year-old hacker claimed responsibility for attacking the Twitter microblogging service, crippling thousands of accounts with a worm designed to promote his social network.
The worm spread via a social engineering technique. The hacker first tricked users into clicking on a link to a rival social network. The link infected machines and exploited a cross-site scripting error to use the victim’s profile list to broadcast the malicious link to other users.
The attack was another example of the threat against social networks, where users post data that could be harvested and potentially valuable on the black market. Users of Facebook, MySpace and other social networks have been targeted by phishing attacks serving up malware designed to steal address books and other sensitive data. Experts say it’s easy to be duped by a malicious link or fall victim to Web application attacks within social networks.
In a message to Twitter users, the company’s co-founder Biz Stone said the attack was similar to the Samy worm, which spread on MySpace. “No passwords, phone numbers, or other sensitive information was compromised as part of these attacks,” Stone wrote in a blog entry.
The attack began at 2 a.m. on Saturday. It spread for about 3.5 hours until Twitter’s security team could identify and eradicate the worm. About 90 accounts were compromised. A second wave compromised another 100 accounts. Attacks continued with another wave on Sunday and again on Monday prompting the security team to delete about 10,000 tweets that could have continued to spread the worm.
“Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future,” Stone said. “We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”
The attack is a reminder of the need to address Web application errors now, so developers of these applications clean up their poor coding practices. The OWASP Foundation has taken the lead on spreading the word to developers and companies using Web applications about the importance of security. But volunteers can’t do it all on their own. At some point social networks may need to band together to mop up coding errors and guard against attacks in a coordinated manner. They owe it to their customers, who have remained loyal even in the face of ongoing threats.
It is budget cutting time. Companies in all industries are looking for ways to save money in a down economy. Security analysts say companies are slowing ongoing projects and delaying others signaling the acceptance of more risk.
Security pros that attended the two day SecureWorld Expo on March 25-26 in Boston learned about a number of ways to keep sensitive systems locked down while trimming their already tightening budgets.
Candy Alexander, CISO at Long Term Care Partners LLC, urged attendees of her session, “Security compliance program on a shoe string budget,” to develop a framework by using guidelines outlined by NIST. Alexander said NIST would be a cheaper source over the ISO standard. Although the benefits of ISO over NIST or vise versa is debatable, ISO is also not a widely adopted standard in the U.S., she said.
While much of the information doled out during the 45 minute presentation was basic, it certainly could serve as a starting point for some security pros looking for ways to keep systems secure despite a tightening budget. The most important piece of the talk: Know your data. Know where it is. Know how it flows through your systems. It’s so simple, yet time after time I hear that many data breaches happen because an attacker found a hole in a database that IT didn’t even know existed.
A friend who works for a major university in Massachusetts told me that in the first few weeks on the job he followed the basic steps of identifying the most sensitive information, where it was and how well it was protected. During the process he found a database containing thousands of credit card transactions in a small office off one of the university’s dining facilities. It had been there for years. Few knew it was there and those that did — dining facility staff with little technical expertise — didn’t realize the data residing on it was so sensitive.
Having a sound security policy and enforcing that policy was also one of the takeaways from the expo. Although it’s another fundamental part of being a security professional, we’ve heard countless times that some organizations have policies that they downloaded off of a website and rarely refer to them or educate end users about them. Charles Cresson Wood, a consultant at InfoSecurity Infrastructure Inc., a Mendocino, Calif-based consultancy, gave the SecureWorld keynote, urging those listening to rethink their security policies. If an organization doesn’t have policies that align with business objectives then they should be written with that in mind, Wood said.
Wood advised attendees to conduct an annual risk assessment tying it into the company security policies. He said some of the best security programs also create an environment that fosters higher security standards among employees. Management plays a big role, he said.
Finally, an information security officer tag team of Leilani Lauger of Loyola University and Morey Straus of NHHEAF Network Organizations tackled ways CISOs can do their job frugally. Straus said CISOs can consider managed security services and should also take a look at the company’s existing contracts with third-party vendors. Some of them may be able to be renegotiated at a cost savings, he said. Straus said CISOs can also help foster the culture of valuing information security by acting “less as a cop and more like a guide.” Lauger said security pros should also design training programs that are interesting and replace outdated posters and material with fresh content on a regular basis. Send out security messages in multiple forms, not just weekly email messages or security posters, she said.
I’ll throw in my nickel’s worth (two cents just isn’t worth anything) on Cisco’s announcement that its IronPort email security — long available in a series of top-shelf appliances — would be offered as a managed service.
This was a necessary, even defensive move for Cisco, when you look at it from a market perspective. Email security as a service, which has been very popular among SMBs, is getting more traction among enterprises as they look at which tasks they can offload comfortably without violating or changing security policy.
So the hybrid approach may be particularly appealing to enterprises. It’s one of three along with a hosted model in which the appliance is managed in a Cisco data center and a managed service in which Cisco manages boxes on the customer’s premises. The hybrid approach takes the chore of managing incoming filtering off the enterprise’s shoulders, while allowing the customer to keep control over their outbound data for DLP and encryption. It’s relinquishing that outbound piece that often makes enterprise security managers’ blood run cold.
SaaS, on the other hand, does more than take up the administrative chores as well as the care and feeding of more boxes on your network. The pay-as-you-go lets you treat email security as an expense. Laid off 1,000 people? Ratchet down. Good times coming? Ratchet back up. Consider whether your email security vendor can offer that kind of flexibility or comparable value if you are looking to move to some services model.
Cisco isn’t offering any new security capabilities, but to my way of thinking, if I were a vendor (thanks, but no, I prefer poverty) I’d want to tell my customers they can get the same level of security whether they buy appliances or contract for services — and IronPort appliances are considered first-rate.
So, Cisco had to start offering their email security as a service. Symantec acquired a full-blown leading SaaS vendor in MessageLabs, in addition to its own appliance and software options. Symantec already offers a stronger DLP combo than Cisco, through its acquisition of Vontu, but IronPort offers more formidable Web security.
McAfee, another big security competitor, applied some considerable pressure when they bought rival Secure Computing, which in turn, got into the email security business by acquiring CipherTrust. They also offered a hosted service option and a mix and match of hybrid combinations (the major appliance vendors also offer virtual appliances, which Symantec says may already account for as much as 20% of its appliance business).
Proofpoint, one of the increasingly rare major independent pure-play email security vendors, offers both appliances and hosted services.
This is getting down to the nitty-gritty. The email security market is pretty well consolidated, both on products and service-based options. SaaS vendors like Google and Symantec’s MessageLabs are gobbling up SMB contracts. At the high and mid-high ends of the market, in particular, competitors are going to have to offer a mix of very robust options at attractive prices.
There were only two of us on the graveyard shift.
“If it’s not locked up,” a colleague at my first newspaper declared as he snatched a folder of papers from our boss’ desk and strode towards the office copying machine, “Xerox it.” (Old-tongue for photocopy.)
That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you.
I guess that’s the message behind the “revelation” released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them.
Lots of it.
My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.)
Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data.
What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers.
Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it’s sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn’t weigh heavily enough on their conscience to set off an internal alarm.
Most of the people who took data — 79% — said it was not permitted. So, the other 21% were either ignorant, their managers said it was OK, or their former employers didn’t make a big enough deal about this sort of thing to make it worth remembering. Let’s face it. If this kind of grayish area thievery were really important, every single employee with a desk, a computer and a file cabinet would be escorted out of the building by security when they were laid off, fired or gave two weeks notice.
The report, perhaps, should have emphasized the smaller, but more important numbers, which show that some of these former employers did take financial information, did take source code, or did take intellectual property. That’s the stuff that gives management chills. Those numbers are much smaller than the 59% who admit taking some sort of information they shouldn’t or the 65% of those who took email lists. But those smaller numbers represent the kind of information leaks that can do serious harm to a business.
The real crime — and this is where the report excels — is that the overwhelming majority of the companies these people left didn’t even try to check what kind of information was about to walk out. Only 15% of the companies performed any sort of audit or review of what information the former employees were removing, and even these reviews were, in many cases, characterized as incomplete or even superficial.
So, the message employees take away is the same as it was in that cramped, dank newsroom, many years ago in the dead of night: “If it’s not locked up, Xerox it.”
The sky is not falling.
Just as some places have a law against shouting “fire” in a crowded theater, those responsible for issuing warnings and protecting customers need to take heed. Those who write about flaws should be clearly explaining the threat level so readers can assess the risks. Too many times the threat is clouded making risk assessment extremely difficult.
Second, the threat is minimal — extremely minimal. Security vendors that track these threats are not releasing infection estimates. Hmm. I wonder why? Kevin Haley, director of security response at Symantec told me the attacks began appearing in the wild in Japan. They have been spreading slowly for several reasons. The attack has been largely unsuccessful. The malicious Adobe file is spreading in an email message that can be detected as malicious and filtered out. And the message being sent is detected as spam in most cases. The threat can also spread if a user visits a website hosting a malicious PDF file. This can be mitigated by disabling Internet Explorer from auto-opening PDF files.
If your firm can’t handle the increased risk, Sourcefire released a homebrew patch for Adobe 9 users. There’s no guarantee the patch will block an attack. But if your users are using common sense and opening Adobe files from only trusted users and other protections are in place, the risk of infection should be minimal until Adobe issues an update plugging the hole.
There’s no doubt the risk level increases over time when new variants exploiting the code show up in the wild.
Is this a good time to mention Foxit Reader or other alternative PDF readers?
The SearchSecurity.com editorial team will continue to post regularly on some of the latest information security issues. Our aim has been to provide news analysis as events unfold. We’ve moved to IT Knowledge Exchange to take advantage of some new blog features as well as the community features IT Knowledge Exchange offers.
To highlight the most popular topics, we’ve added a Tag Cloud rather than a list of bland categories. The Tag Cloud is dynamic, so the more a tag is used, the larger and darker it will appear.
You’ll also notice we’ve integrated more of our related editorial content in the right sidebar. If you’re on a post about a specific topic be sure to browse the links in the right sidebar.
The number of bookmarking tools has increased from four to forty-three. If you enjoy a post, please be sure to share it with friends and colleagues.
Above each post is the SearchSecurity navigation bar. Clicking Home or the SearchSecurity.com logo will bring you to the SearchSecurity.com home page.
At the top of the page you’ll see a row of tabs. You can click the IT Blogs tab to find dozens of technology blogs, both user-generated and TechTarget editorial blogs. You can even request your own blog and start sharing your expertise with your peers.
There is also a tab labeled IT Answers. This is where you can ask your own IT question and have it seen by thousands of IT Knowledge Exchange members. So be sure to pose your own question, browse thousands of answers or help out a fellow IT pro by answering a question.
I had an excellent briefing with the folks at TippingPoint about Conficker and they gave me access to their ThreatLinQ, a service that helps TippingPoint IPS customers proactively configure their systems. I’ll be writing about Conficker in a news story tomorrow. ThreatLinQ is essentially a portal that shows global threat data caught in TippingPoint’s DVLabs’ IPS filters. It can rank threats on a global scale and threats by country. It also shows how other TippingPoint customers are using their IPS and what is being blocked by default.
Security researcher Derek Brown of TippingPoint’s DVLabs, explained to me that while Conficker/Downadup has spread to an estimated 10 million machines, it reached its peak on Jan. 10. It’s an interesting worm because it can propagate either by exploiting the Microsoft RPC flaw, patched in October with MS08-067, or it can spread via USB sticks and other removable storage devices.
Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this.
Attempts to attack the Microsoft RPC vulnerability ranks No. 5 of all threat’s globally, according to the TippingPoint data. It’s well behind the MS-SQL: Slammer-Sapphire Worm which was picked up globally more than 32 million times in TippingPoint’s honeypots. Slammer ranks No. 1. Conficker was detected about a half a million times, according to the real-time data.
In China, where Symantec ranked Conficker infections the highest, Microsoft RPC attacks ranked ninth, according to the TippingPoint data. In the United States, attacks attempting to exploit the Microsoft flaw didn’t even rank in the top 10.
Conficker is also relatively easy to disinfect using any number of tools including Microsoft’s Malicious Software Removal Tool.
Conficker still fascinates security researchers. It’s got a built in password cracker. Once infecting a machine it seeks out other IP addresses to try to continue to spread. It can spread on shared drives. It also relays location information to the author.
Let me be clear: Derek Brown of TippingPoint’s DV Labs did not downplay the worm. The damage the fledgling botnet inflicts is still unknown. Once the attacker delivers the payload to the infected machines we’ll begin to measure the extent of Conficker’s destruction.
Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.
But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.
So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.
In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.
Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.
What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.
Good information security requires…good information.
That’s why logs are so important and why so many regulatory and industry directives require companies to not only gather but monitor, read and analyze them.
By the same token, if we’re going to get this log management thing right, we need to share our experiences and pain points with each other and the vendors who want to make their log management products more responsive to our needs, so we, in turn, will keep giving them money.
So, if you have not yet taken the fifth annual SANS Log Management Survey, please take a few minutes. The survey will be up through January. Obviously, the more respondents SANS gets, the more reliable the results. The findings will be released at SANS WhatWorks Log Management and Analysis Summit to be held in Washington April 6-7.
The survey has evolved as organizations experience with log management has evolved, said Stephen Northcutt, SANS CEO. Compliance is now well established as a driver for developing and improving log management programs and deploying automated tools. In fact, the 2008 report showed that compliance was only the second highest reason for collecting log data, behind detection and analysis of security and performance incidents.
With this year’s survey, SANS wants to emphasize getting full value to leverage log management for security and operations.
“The biggest thing in the survey that’s new and different is looking for the ROI,” Northcutt said. “We’re trying to see what the biz case for this is; the compliance case is established. Two years you had to go to the CFO and say, look, I need 200,000 bucks. Here are the findings of the audit report. So, you spent the money and now you’re saying, ‘Gosh, what can I DO with this?'”