Forgive me if I editorialize and slip from factual reporting into expressing my opinion. April 1 has come to most of the world and the sky has not fallen yet. In fact, most of the incidents reported so far are more related to Conficker hysteria than to the effects of the worm (or are April Fools jokes themselves). To be sure, Conficker has been busy downloading instructions for the next round, but nothing dramatic has happened.

A breakthrough (thanks to some German researchers, Rich Mogull, and Dan Kaminksy) made a couple of days ago will make it possible to perform network scans for infected machines. There are also many tools available online to scan for and remove Conficker. The threat is far from over, but my biggest concern is not the noisy, headline-grabbing threats like Conficker. In the end, more harm may be done (and more money stolen from innocent victims by) the myriad of fake malware removal tools (rogues) that the publicity about Conficker has spawned.

In the end, the noisy Confickers of the security world are not our biggest threat. The whole Conficker affair smells like a marketing ploy to me - intended to get the attention of those potential buyers of future exploits who lurk in the shadows of the internet. The yet-undisclosed authors of Conficker have certainly demonstrated their abilities. Microsoft's $250,000 reward is an indication of just how much top-notch malware writers like this could command for their services. The real threats are the quiet ones, the ones that lurk undetected for years, silently stealing information and leaking it out without being noticed. There is no better example than the recently-disclosed GhostNet allegedly operated by the Chinese.

We must not let ourselves become so distracted by the threats in yesterday's or today's headlines that we become laxed in our vigilance. This would be the perfect time to slip in a new zero-day exploit while everyone is focused on Conficker. It is those crafty, hidden pieces of malware that will be some future headline (or, worse, the ones that will remain undiscovered and never make the headlines) that keep me awake at night.

Dennis H in West Virginia, US

April 1

The security wars rage on, as always, and there are some new exploits (or variations on old ones) that we should all be aware of:

Conficker B++ is a variant of Conficker which as evolved past the need to "phone home". This will make tracking the activity of this threat more difficult. This threat has been covered in a past article, but for those interested, here is an article dissecting it in excruciating detail. There were a couple of interesting points that I noted. First of all, can anyone explain why Canada seems to have FAR more infected machines than any other country? As previously noted, Microsoft issued a patch for this last October, so the machines getting infected are ones that have not been patched. Let's make sure that NOS clients are not contributing to these numbers. Secondly, one of the tools this monster uses to defeat firewalls is UPNP (Universal Plug and Play). UPNP is a HUGE security hole and should be disabled on all routers. True, it makes it easy for games and other programs to open their own ports on firewalls, but it makes it just as easy for malware to do the same.

SSL Stripping Attacks: These are sophisticated Man-In-The-Middle attacks that hijack HTTPS connections. The newest brower versions warn when SSL certificates are not valid, but this presentation from Black Hat DC shows some sneaky ways around these warnings. EV certificates and better browser security will help, but users will simply have to become more sophisticated and more careful in order to remain safe. It's hard enough getting people differentiate between HPPTS and HTTP, and this method exploits our trust of the padlock icon. This presentation is pretty scary.

Malicious Banners on Major e-Magazine Sites are a good example of how users can become infected with malware, even if they are smart enough to stay away from the "darker" corners of the internet. Last week, the online magazine eweek became the victim of an advertising campaign that sends users malicious code, instead of the advertising content. Other Ziff-Davis sites also distributed the banner. This attacked was bases on an Adobe Flash vulnerability that was not the most recent issue found in Adobe products, but rather one that was patched some time ago.

Need we say it again? Application patching is more important than ever. PATCH or DIE!! The best way to identify un-patched applications and the vulnerabilities they present is to use Secunia PSI.

Dennis H in West Virginia, US

March 1, 2009

Keeping Windows machines updated is always important, but it is especially important right now. The conficker worm (also known as downadup, downup, and kido) is estimated to have infected 9 million computers and is spreading rapidly (the number of infections has tripled in the past few days. This worm exploits a flaw in all recent versions of Windows, including server versions and Vista. Microsoft issued an out-of-cycle patch in OCTOBER to correct the flaw, but an estimated ONE-THIRD of Windows machines do not have the patch installed. AMAZING

This is worm, so it requires NO USER ACTION for the exploit - any un-patched Windows machine is a sitting duck if it is not protected by a properly-configured firewall. It can also spread through removable devices (another good reason to disable autorun). It also wages brute-force attacks against network passwords. It attaches itself to critical Windows processes and downloads additional malware. NASTY

The January version of Microsoft's Malicious Software Removal Tool (MSRT) is supposed to be able to detect and remove this threat. Microsoft recommends installing their emergency update, and then running the MSRT.

More details are available in this Wikipedia article.

Dennis H in West Virginia, US

January 19, 2009