Today is my third in the series of Security Fails of 2009. As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security. While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009.
Conficker made the jump from malware attack to media darling in 2009, finding its way onto the front page and 60 Minutes. For those of us who work in the general anonymity of IT security, Conficker (aka Downup, Downandup, Conflicker, and Kido) was one of those things that took on a life of its own and rose quickly into the public consciousness.
To be accurate, Conficker actually surfaced in November of 2008, but its effect really peaked in 2009. The Conficker Working Group estimates that 9 million to 15 million PCs are infected with the worm. Costs have been placed at a wide range of numbers with some estimates reaching $9B. The worm was noteworthy from its use of sophisticated techniques to avoid detection and its ability to morph via commands from a well designed command and control process. It has been through three iterations, each making it harder to detect and defeat. It spread rapidly – in May it was reported to be spreading to 50,000 new machines a day - and is widely believed to be the largest worm infection since Slammer in 2003.
What became almost humorous was the effect it had even when it did not do anything. When the command and control elements of Conficker would stir, there was rampant speculation as to what it would do. Conficker appeared to be readying for something big on April 1 and the speculation became somewhat comical as predictions ranged from minor attacks to global Armageddon. Eventually people became to see Conficker in every shadow, with the paranoia coming to a crescendo when Conficker was suspected as the cause when Big Ben stopped just before midnight on March 31. I wrote then that such blame “makes sense – build a worm, get it distributed to millions of computers worldwide, have it confound the best and brightest of IT security, and then instruct it to stop Big Ben.”
The real lessons of Conficker are many. First, the worm took advantage of an exploit that Microsoft patched in October of 2008 and many noted that the infection vector was not exceptional, just opportunistic. The fact that it spread so rapidly and continues to spread illustrates the issues we have in patch management and maintaining the security readiness of endpoint machines. In spite of all research and recommendations, business and government agencies still take far too long to close well known, dangerous gaps in their security. Second, the sophistication of the worm, the command and control structure and its evolving nature all are illustrative of the growing sophistication of malicious activity. Conficker is an attack with the careful engineering of a commercially available application. Third, the traditional endpoint protections have long been left behind by the growing sophistication of the current attacks. It took far too long to come up with a viable detection process for Conficker, and even longer to come up with a fix. Most have to re-image and start over at enormous costs when one considers 9M computers.
Finally, Conficker brought IT security issues to the masses. Lots of people that never considered the security readiness of their PC began to ask some serious questions. The size and scope of the infection woke people up to the enormous potential of a mass attack. And the sophistication was instructive to the public as to how malicious attacks have evolved from the days of the Anna Kournikova virus.
Conficker is a noteworthy fail because it all started by leveraging a known exploit that savvy malware writers saw as an easy path to a significant infection that will cost the world billions of dollars. Best of all, Conficker is still out there on a very large number of machines. Even in its most benign state, the fact remains that someone controls a huge botnet that has the potential to be used for harm.
Posted in Endpoint Security
