Conficker, I Knew We Would Meet Again!
Oh, Conficker. I just knew you’d be back in our lives. Somehow, someway. I recently read an interesting article from SC Magazine, “Thanks to weak passwords, Conficker worm still rampant.”
Conficker was a nasty little worm that wreaked havoc for a large number of people; I guess you could argue it still is. It all started in 2008 when the threat dubbed “W32.Downadup” was discovered to be exploiting Microsoft Windows Server Service (MWSS). Microsoft released a fix for the vulnerability, but it was the aftermath that was so interesting.
In my former life, I dealt quite a bit with malware, and Conficker was certainly a threat to remember. I recall giving many talks about how the threat was discovered in the fall 2008, and that despite a patch being available for the exploit, many machines were still being infected. Overall, we saw bot-net numbers increase, and while fixes were available for Conficker, many did not patch or take the appropriate actions to protect themselves.
I used this threat to point out how modern automated malware is created. Attackers simply follow these simple steps:
- Find and purchase a malware design kit from some shady groups or individuals
- Determine who or what you want to target
- If targeting Windows machines, simply find the latest and greatest vulnerability from Microsoft… even if it has a patch
- You might get lucky and find some zero-day vulnerabilities, depending on who you dealt with for your first step
- Build your malware to use that exploit/vulnerability
- Determine the attack vector
- Email? If so, maybe you want to spam a URL linking to your newly built threat
- Web? Maybe you should find a legitimate site, find out if you can do a SQL injection
- Social Engineering? Combine the above two for serious impact
- Hack, then dump?
Point being, many individuals can follow a simple pattern and cause a significant amount of damage.
How does this relate to the topic? Weak passwords allow Conficker to spread. SC Magazine points out that “there are three primary ways in which Conficker spreads: through weak and stolen passwords, by exploiting unpatched vulnerabilities, or by attempting to abuse the AutoRun feature in Windows.”
The story also provides context on infection and causes.
“Of the trio, 92 percent of the infections occurring from July through December 2011 were caused because of flimsy passwords,” the report stated. That’s because, according to the story, the malware’s code has a built-in list of common passwords used in the enterprise, such as “admin1,” “changeme,” and “password123.”
Being in the authentication and identity security space, this doesn’t surprise me. Despite all of the filters in place, web, email, anti-virus and anti-malware, weak passwords remain a vital link in an overall strong security posture.
The main thing I find concerning is that with many organizations rolling out cloud-based applications, coupled with the aggressive move into the mobile space, we still rely on usernames/passwords as the main identity access mechanism. With all of the new, easy-to-use technologies, organizations have many ways to reduce their reliance on usernames and passwords. Even in this cloud/mobile world.
I guess Conficker still has life in it to teach us another lesson: you are only as strong as your weakest link.