The damage caused by the Conficker (also known as Downadup and Kido) worm has been sizeable going by the numbers quoted by F-Secure, infections have skyrocketed from an estimated 2.4 million machines to over 8.9 million. While the infections are still on the rise the number is significantly large and has caused a reasonable amount of concern among security experts -- especially because the true motive of the worm was unknown for a few months since the vulnerability was made known in November last year. The Conficker Working Group (CWG) tracks the number of HTTP requests made by the worm on a daily basis. As on 23 April, CWG has recorded over 136 million HTTP requests with 3.5 million unique IP addresses being infected. The Conficker worm has not only infected PCs connected to the Internet but also spread within computer networks across the government sector, business and financial organizations.
How does an infection run rampant and spread to such a large scale even after there have been other outbreaks ones that were far more wide spread and critical? The answer probably lies in 'mindsets' -- people still presume that a computer with its hardware and software should work 'out-of-the-box.' Many users still fail to realize that software will contain bugs (the nature and the criticality of the bug may vary) and some of them may have security implications.
Let's use an analogy to illustrate what I mean. Once the fuel gauge indicator in a car shows red the engine will still continue to function in 'reserve.' It is therefore essential to refuel within this time frame, failing which the automobile will turn into a glorified pushcart. Getting your car to the nearest petrol pump and refueling will invariably involve time, effort and money. Similarly while your computer may be working alright, malicious code could take advantage of a bug (read as security vulnerability) in your system at any point of time. Though the infection may seem as a sudden strike leaving you without enough time to react, this is usually not the case. If one goes through the following table of some known infections that made quite a stir in the last eight years, it will tell a sorry tale of ignorance and in some cases -- plain old procrastination.
Name of Worm
Security Vulnerability
Worm Release Date
Patch Release Date
Sadmind
MS00-078
8-May-01
17-Oct-00
Code Red
MS01-033
13-Jul-01
18-Jun-01
Code Red II
MS01-033
4-Aug-01
18-Jun-01
Nimda
MS01-044 / MS01-020 (and others)
18-Sep-01
29-Mar-01
Klez
MS01-020
25-Oct-01
29-Mar-01
Sapphire
MS02-039
24-Jan-03
24-Jul-02
Blaster
MS03-026
13-Aug-03
16-Jul-03
Welchia
MS03-026
11-Feb-04
16-Jul-03
Sasser
MS04-011
4-May-04
13-Apr-04
Santy
SQL Injection
21-Dec-04
14-Nov-04
Zotob
MS05-039
14-Aug-05
9-Aug-05
Conficker
MS08-067
21-Nov-08
23-Oct-08
Notice that the patches for all major outbreaks were made available well in advance compared to the documented release date of a worm
While many prefer the Microsoft-bashing model -- in the case of worm outbreaks -- it is actually the end user who is equally to blame for the spread of a worm. The time difference between patch availability and the release of the worm in some cases was more then six months. The Zotob worm patch is the only one (in the table above) that was released just five days before the infection went public. In the case of worms like Blaster, Sasser and Conficker, users had almost a month to fix/update their systems.
If I play the devil's advocate here and give the benefit of the doubt to a user/system administrator/security professional, I would probably do one or all of the following,
Blame Microsoft for making an 'insecure' operating system. While there is a common consensus that Microsoft has to take security more seriously compared to some other operating systems like OpenBSD (while OpenBSD is a very good security effort, it is not going to house the common desktop anytime soon), they are definitely not the culprit in this case. Microsoft has released patches for all of these bugs that were exploited before a worm outbreak.
Blame the techie/security agency for having found the vulnerability. Some people believe in security through obscurity. They would argue that if the techie/security agency had not found the bug the vulnerability would not be so widely and publicly known and as a result such a worm would not have existed. There are many individual researchers who have the technical capabilities and motivations to find security bugs. While they might not be inclined to write viruses and worms; the example of an advanced worm like Conficker clearly shows that virus writers have a certain amount of technical expertise. The use of the MD6 algorithm (a cryptographic hash function) in Conficker is a clear indication of worm evolution. If a researcher does not find a vulnerability, it is certain that another techie with a less honourable motive will. Not disclosing vulnerabilities will not reduce the number of outbreaks.
Blame the guy who wrote the malicious code (worm). Yes, writing a worm is unethical, illegal and punishable. But there will always be someone who will try to take advantage of the system -- 'cybercriminals' will not cease to exist. That would be a Utopian view of the Internet.
The bottom line is that those who were affected by the worms listed above are clearly to blame for not updating their computers with the latest security patch. Individuals as well IT security professionals need to take the onus to ensure that their operating system and security software is routinely updated (automatically or manually). Instead of reacting to an infection, organizations need to be proactive enough to keep the computers on their network updated, thereby reducing the chances of falling prey to infections like Conficker. Prevention is better than cure.
Post your comment on “Did you install the patch before the outbreak?”
Your Comments
many users in india still use win98/xp for which support has ecased and they don't use any good AV with it. Its sheer suicide. A good AV can solve the matter very very, even free ones like AVG etc.
In continuation to Part 2 of this series "How to Take Your Biz Online and Beyond", Abhishek M. Gupta, VP (Technology) of Lime Spot Technology, in Part 3, discusses how to increase traffic by by "affiliate marketing". Read on...
del.icio.us
Digg.com
MyWeb
Newsvine.com
