An article caught my eye last week that I couldn’t ignore. It was by turns interesting, infuriating and illuminating, with a simple and matter-of-fact headline: “Thanks to weak passwords, Conficker worm still rampant.” It was from SC Magazine and it made me gack just a little.
Flashback to 2008. In November of that year Conficker made its first appearance, and within months had infected millions of home and business systems in the most successful botnet ever. The “worm” was in truth a highly clever system that leveraged vulnerabilities in Windows Server Service, autorun functions and the automatic creation of as many as 250 new botnet-managed domains each day across five TLDs.
But the thing that really made Conficker the Pirates of the Caribbean of mid-2000 worms was its clever use of dictionary attacks on administrative passwords: find a target system, fling thousands of default or guessable password combinations at it until it breaks open, and Confiicker was off the races.
Flash forward to 2012 and Conficker is still going strong, despite special patches from Windows and dedicated vulnerability scanners from Nessus and N-Map. The SC Magazine article cited some disturbing numbers:
“In the fourth quarter of 2011 alone, Microsoft analysis determined that Conficker tried to infect 1.7 million computers, a 225 percent increase since the first quarter of 2009. Since that year, Conficker has been detected on 220 million computers worldwide.”
Tim Rains of Microsoft’s Trustworthy Computing Group laid much of the blame for this continued success on weak passwords:
“The use of these weak passwords in enterprise today is very concerning,” he said. “Not only will this allow broad-based attacks to spread, but it also allows targeted attacks by determined adversaries to be just as successful.”
So what made me gack a little? Two things, really:
- Default or weak-ass passwords, Conficker’s built-in “open sesame” tool, are such low-hanging vulnerabilities as to be embarrassing
- Persistent unpleasant reality: the problem of hardening an ever-growing population of loosely-managed servers (and their default or guessable passwords) is still considered “too big to manage”
As an industry, though, we can solve these issues with 4 incredibly difficult but immanently do-able steps.
- Create, distribute and manage policies that define IT security standards across all platforms and devices… including password standards
- Automate a continuous, scalable process of scanning and fixing system configuration vulnerabilities… like weak passwords
- Stop talking about Defense in Depth and just do it: good configuration management, enterprise anti-virus and network vulnerability scanning, when working together, can defeat Conficker
- Rinse and repeat: do this more often than configuration drift or laziness can catch up with you
An InfoSec Island article from the middle of last year made it clear that the threat is far from gone. “Authorities Bust $72 Million Dollar Conficker Fraud Ring” highlighted the way cyerbcriminals continue to parlay the worm into a healthy payday.
I’m really not a flag-waving Let’s charge this cyber hill! militant patriot, but I think we can bury Conficker. Finally.
Want to read more about Conficker? Try Mark Bowden’s excellent book Worm: The First Digital World War.