Me: Gawd, It’s amazing to see how many people who’ve been laid off, who are now asking to be added to my LinkedIn profile.

Her: I guess you have to be connected as much as possible in times like these, you never know who will have a lead on a job. It’s sad to see the state of the US right now

Me: It’s the state of most of the world actually

Her: Ya I know but I always looked at the states as being more resilient. I guess I never thought it would get so bad. It’s the land of opportunity remember! You guys sold me the dream

That’s why I came over on the boat after all

Me: Yeah, we all bought the dream but the US Government is the big green monster taking a big stinky shat in the middle of it.

Her: That’s a lovely picture you’ve painted!

Me: Godzilla making poooooooo

The conficker/downadup worm has impacted the French Ministry of Defense, according to an article posted by The Telegraph. According to the article;

…aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand.

At one point French naval staff were also instructed not to even open their computers.

Like the recent compromise of the British MoD, the compromise of the French MoD appears to have been isolated to the unclassified network called Intramar. Coincidentally it was the navy that has reportedly been compromised in both cases.

It’s still being questioned whether or not aircraft were grounded by the worm. However, the fact that the worm impacted the MoD is not in question and that illustrates the risk of having weapons systems interconnected with the Internet.

To my knowledge the botnet created by conficker/downadup hasn’t been put into action yet. However, the fact that it now has two major trophies; the French and the British Ministries of Defense is certainly worth pondering. The propagation methods this worm uses have proven to be very effective.

Conficker, aka Downadup is gaining popularity among the non-techy news sites. Today I ran across this article on Rawstory.com. In it, David Perry of Trend Micro is quoted as saying “Downadup uses brute force from the infected network of botnets to break the password of the machine being attacked”.

To my knowledge that isn’t how the worm works, but please correct me if I’m wrong. According to everything I’ve read, a single instance of the worm will indeed try to “brute force” passwords but it isn’t a distributed effort spread across portions of the botnet. In none of the following evaluations of conficker is ‘distributed brute forcing’ mentioned:

Trend Micro (fails to even mention the password-guessing aspect)
Symantec
Sophos
F-Secure
McAfee
Panda (added to my list 1/23/09)

Not to mention the fact that the total number of passwords hardwired into the worm is 184, which is miniscule when compared to Cotse’s “all-words” list of 53,082. The smaller number of passwords was certainly intentional to keep the code lean and mean and doesn’t lend itself to distributed brute force.

The author of the story also states that “A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords.” That, according to everything I’ve read is false. Conficker does not crack passwords, it guesses them from a small list of “weak” passwords. Something like L0phtcrack built into a worm would indeed be new and certainly nasty but what conficker is doing isn’t near what L0phtcrack does…

Can anyone validate Mr. Perry’s statement?

CIO.com has an article about a ‘rapidly spreading virus’ that is giving the UK Ministry of Defense a run for its money.

First, viruses don’t spread on the network — worms spread on the network and a virus can be their payload.

Semantic arguments aside, the story demonstrates just how effective a worm can still be, especially in cyber warfare. Not only do you have the direct impact of the worm; delivery of the payload, but you also have secondary effects; network and host congestion and the potential over-reaction by the IT groups by simply shutting off machines to avoid compromise. According to a Ministry of Defence spokeswoman;

“The reason why so many people are without their computers is because we’ve turned them off rather than they’ve been wiped or destroyed by this virus”

Without knowing what this particular bug is and what it does, shutting down systems may very well be a solid defense but that obviates the fact that the network wasn’t well prepared for a worm outbreak. The best defense against a network worm is defense in depth but it doesn’t have to be complicated. In fact I would argue that it shouldn’t be much more complicated than:

1. Patch management
2. Network segmentation
3. IPS and AV protection at segment links
4. HIPS protection on critical hosts and AV protection on *all* hosts
5. Established incident response

But I digress.

As I stated previously; targeting military networks can have far reaching, even strategic gains:

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Wouldn’t you know it, the rumor mill suggests BBC confirms that the HMS Ark Royal, an invincible-class light aircraft carrier was or still is affected. I guess their network isn’t invincible-class.

The fact that the worm spread through multiple networks and ultimately ended up on the carrier’s network demonstrates the potential a worm has for damage simply through the Achilles heal of interconnected systems; their very connectedness.

If this is in fact the conficker worm and not some one-off, custom job cooked up by someone intentionally targeting the MoD, I’d expect some heads to roll. It would be extremely disappointing to learn that a garden-variety* worm targeting a three month old vulnerability whipped some MoD ass.

*Conficker is neither exceptional nor cutting edge as worms go. In fact, the core vulnerability that conficker targets resides in the Windows Server service, which is known to be vulnerable as early as 2006 if not earlier and RPC attacks enjoy an even longer history. Given the core role Windows’ server service and RPC play in networking Windows machines, any shop deploying it as an infrastructure should protect both at all costs.

Update:

According to the BBC, as of 1/20/09, this is still affecting the MoD and it has affected 70 sites. What’s interesting is the statement that it’s successfully redirected email traffic to email servers in Russia:

Conservative MP Mark Pritchard said he had been told by one defence official that e-mail traffic from some RAF stations had been re-directed to a Russian internet server as a result of the virus.

Officials note they don’t think the MoD was targeted, which leads me to believe it was indeed a garden variety worm that hit them. That statement (that email was redirected) could be caused by the ‘fog’ of incident handling on such a large scale. However, if it’s true, I assume it happened because the email server or servers were compromised by the worm, which deployed a bot that phoned home, and the compromise was escalated through remote control of the bot.

After providing this wordy response to my friend about the conficker worm and defenses for it, he asked another simple question; “So if we patch within weeks of MS release we’re good?” To which I provided this less-than-simple answer; not completely.

The patch stops the primary propagation method and AV stops the payload. (This probably answers your question and the rest is me blathering on to show just how smart I am)

Think of a worm as an ICBM. Like an ICBM, the worm has several parts;

1. A rocket to deliver a warhead to the target. The rocket is the propagation method(s). Having this mechanism defines it as a worm (self-propagating)
2. The warhead is the reason of its existence, the doer of deeds. The warhead represents the payload. The warhead is lethal with or without the rocket. The warhead can be anything; a keystroke logger, often a downloader, or even a patch.

The conficker/downadup payload can be delivered in one of two ways:

1. When the worm compromises a vulnerable server service and then has the service download the payload
2. Through normal file sharing the payload can be dropped where it awaits execution

If you’ve already applied MS08-067 you are safe from being automatically compromised by the worm. You are still vulnerable to the worm’s payload being dropped on the server through removable or mapped drives. At that point your server would become a ‘carrier’ but not infected unless that payload gets executed on the server in the absence of effective AV. As a carrier (without having executed the payload), the server wouldn’t actively compromise other hosts. Other hosts would have to manually download and execute the payload, at which point it would infect that host, barring AV on that host.

For example, lets say my laptop is compromised and I have write access to a share on your patched server. My host can deliver the payload to that share. If AV on that server doesn’t catch the malicious file, it will sit dormant and wait. It can’t do anything to the server automatically — someone must launch it on the server through RDP or console access. However, if you come along with your laptop patched or otherwise and download the malicious file and execute it, if your AV software doesn’t catch the payload as malicious, your laptop will be compromised and then will actively attempt to propagate the worm, even if it is patched.

A patched machine can still be compromised because MS08-067 only addresses conficker’s primary and automated method of propagation; malicious RPC traffic sent to the server service. The patch does not address any payload the worm may deliver. That falls under the purview of AV. Further, the patch doesn’t address an already-compromised machines ability to continue to scan for other hosts to infect. This is because the payload does the scanning, not the compromised server service. Even a patched machine that was previously compromised can continue to spew death across your network until the payload is removed.

There is a lot of great information about worms in Jose Nazario’s book “Defense and Detection Strategies Against Internet Worms”. I think I’ll dust off my copy and review it in honor of conficker.