RSS Alerts

Related Links

Related Stories

  • Conficker still rampant in some countries' networks
    The Conficker worm is still thriving on networks in India, Chile, Russia and the Ukraine, where infection rates are up to 16%.
  • Nine Lives - Self-modifying Malware
    As the Conficker worm proved when it first appeared in October 2008, there’s more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager’s nightmare has become a programming reality
  • Conficker and Facebook / Twitter attacks dominate Q1 email threats
    The Conficker worm and attackers’ social engineering techniques exploiting users on Facebook, Myspace and Twitter, dominated the email threats in the first quarter (Q1) of 2009, according to identity-based unified threat management (UTM) solutions provider Cyberoam and its Israeli messaging and web security partner Commtouch.
  • Conficker concern continues
    Conficker continued to garner attention from security vendors this month as it spread across the internet.
  • Like Falling Off a Log
    System logs haven’t really changed since the days of the IBM 360, but the need to manage them effectively for security purposes certainly has. Danny Bradbury finds out why log management is so important – and why we aren’t doing it properly

News

Conficker still a threat, says Working Group

14 June 2010

The Conficker worm continues to be a threat and businesses need to be aware of two vulnerabilities it may have introduced to their IT systems, says an industry group set up to combat the malware.

Conficker typically disables the automatic updates for the Microsoft Windows operating system and turns of traditional anti-virus, but few business organizations are aware of this", Rodney Joffe, director of the Conficker Working Group, told Computer Weekly.

Criminals can identify all IP addresses infected by the Conficker worm and the date infection occurred, he said.

From this information, they will know the vulnerabilities of these IP addresses. They are likely to be vulnerable because they have not received Microsoft security updates from the date of infection and have probably had all AV systems disabled, said Rodney Joffe.

Once a potentially vulnerable IP address is known, criminals can use reverse-mapping technology to identify the organization that IP address belongs to. Criminals can then use the IP address as a way of launching attacks on other machines behind the organization's firewall, he said.

Just because there have been no big attacks linked to Conficker since April 2009, it is dangerous to assume that nothing is happening, said Joffe.

It would be stupid for criminals not to use Conficker and it is possible the machines dropping off the Conficker Working Group's regular scans are being sold to others to use as potential targets because most machines infected with Conficker are likely to be susceptible to other attack methods, he said.

The only way organizations can be sure they are not vulnerable is to contact one of the members of the Conficker Working Group to check whether their IP addresses are being picked up in the organization's scans, said Joffe. Organizations can do this free of charge.

Businesses and other organizations can also use standalone disinfection tools and check their firewall logs to see if any of the machines within their network have attempted to make any unauthorized connections to Conficker command-and-control centers, he said.

Only through a concerted effort using this approach has the US Federal network been able to reduce the number of infected machines from thousands to below 50, said Joffe.

This story was first published by Computer Weekly

 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water