After providing this wordy response to my friend about the conficker worm and defenses for it, he asked another simple question; “So if we patch within weeks of MS release we’re good?” To which I provided this less-than-simple answer; not completely.

The patch stops the primary propagation method and AV stops the payload. (This probably answers your question and the rest is me blathering on to show just how smart I am)

Think of a worm as an ICBM. Like an ICBM, the worm has several parts;

1. A rocket to deliver a warhead to the target. The rocket is the propagation method(s). Having this mechanism defines it as a worm (self-propagating)
2. The warhead is the reason of its existence, the doer of deeds. The warhead represents the payload. The warhead is lethal with or without the rocket. The warhead can be anything; a keystroke logger, often a downloader, or even a patch.

The conficker/downadup payload can be delivered in one of two ways:

1. When the worm compromises a vulnerable server service and then has the service download the payload
2. Through normal file sharing the payload can be dropped where it awaits execution

If you’ve already applied MS08-067 you are safe from being automatically compromised by the worm. You are still vulnerable to the worm’s payload being dropped on the server through removable or mapped drives. At that point your server would become a ‘carrier’ but not infected unless that payload gets executed on the server in the absence of effective AV. As a carrier (without having executed the payload), the server wouldn’t actively compromise other hosts. Other hosts would have to manually download and execute the payload, at which point it would infect that host, barring AV on that host.

For example, lets say my laptop is compromised and I have write access to a share on your patched server. My host can deliver the payload to that share. If AV on that server doesn’t catch the malicious file, it will sit dormant and wait. It can’t do anything to the server automatically — someone must launch it on the server through RDP or console access. However, if you come along with your laptop patched or otherwise and download the malicious file and execute it, if your AV software doesn’t catch the payload as malicious, your laptop will be compromised and then will actively attempt to propagate the worm, even if it is patched.

A patched machine can still be compromised because MS08-067 only addresses conficker’s primary and automated method of propagation; malicious RPC traffic sent to the server service. The patch does not address any payload the worm may deliver. That falls under the purview of AV. Further, the patch doesn’t address an already-compromised machines ability to continue to scan for other hosts to infect. This is because the payload does the scanning, not the compromised server service. Even a patched machine that was previously compromised can continue to spew death across your network until the payload is removed.

There is a lot of great information about worms in Jose Nazario’s book “Defense and Detection Strategies Against Internet Worms”. I think I’ll dust off my copy and review it in honor of conficker.

A good friend recently emailed me to ask if AV would protect his servers from the Conficker worm and I thought this would be a good opportunity to continue my anti-antivirus tirade.

The short answer to the question ‘will AV protect me from conficker’ is “somewhat.” Here’s why. Below are the typical phases of a worm, starting with the prime infection, usually done by seeding hosts/bots that are already under control through other compromises:

1. Scan for vulnerable services on hosts
   (usually noisy and vulnerable to IPS/IDS/HIPS and draconian firewalling)
2. Compromise vulnerable service
   (vulnerable to IPS/IDS/HIPS and maybe AV)
3. Have owned service download payload
   (vulnerable to IPS/IDS and AV)
4. Execute payload
   (vulnerable to HIPS)
5. Repeat from step #1

Usually AV isn’t effective (or even relevant) until a file hits the system (step #3). Some AV suites have HIPS built in and may block the behavior at #2. But that is rare (obviously, given the effectiveness of worms still).

Your best bet is to apply the patch as soon as you can. It was released in October so it’s had plenty of vetting. Most AV does detect the payload but AV can be inaccurate and unreliable any more and is reactive by nature. If AV alerts on the file, that means steps 1 and 2 have been successful. With enough compromised hosts on your network scanning and attacking, it could DoS the service on vulnerable hosts, even though AV is catching the payload.

My main beef with AV can be read here.

There is also a lot of good information in the comments of this post where I contemplate what a future AV package could look like.

The moral of the story is that AV will help but should be part of a layered solution. The solution that has worked very well for us so far is:

1. Draconian firewall rules (egress and ingress)
2. IPS units backing up all firewalls to protect open ports
3. Automated patch management
4. HIPS software on all laptops
5. Defined and practiced incident response

Recent cyber attacks on Israel may appear to be an aspect of cyber warfare, but in reality they’re merely cyber activism.

From Globes online:

Quantity, not quality, is the guideline of hackers trying to shut down Israeli websites in response to Operation Cast Lead. Information security solutions developer Applicure Technologies Ltd. (TASE:APCR) reports a multifold increase in hacking at Israeli websites, as well as a large increase in attempts to hack protected websites.

We’re hearing more and more of cyber attacks associated with physical attacks; Estonia, Georgia, and now Israel. More often than not the attacks (usually website defacements or distributed denial of service (DDoS) attacks) are perpetrated by a lose-knit group of decentralized actors (open source warfare) rather than a well organized attack orchestrated by a military, government, or other hierarchal entity. But as the tactics develop and effectiveness increases, cyber attacks will become more mainstream, just as other technologies of warfare develop and we progress further into 5th generation warfare or 5GW.

But the key question is; in the grand scheme of warfare just how effective are cyber attacks? Current state of the art has for the most part been low-scale and minimally effective for several reasons. Obviously the more developed and connected a target is, the more potential cyber attacks have for disruption. Also, the better organized and developed the cyber ‘army’ is, the more effective they will be. That doesn’t mean the cyber army has to be centralized, merely organized in a way that provides meaningful intelligence, attack cohesion and relevancy, etc. Most cyber attacks that we’ve seen, that have been associated with armed conflict, have been largely disorganized, perpetrated by ad-hoc organizations, and have largely been centered around propaganda dissemination rather than system disruption.

In other words, the majority of what we’ve seen so far has mainly been cyber activism; defacing websites with propaganda, spamming propaganda, etc, taken by itself has minimal effect on the outcome of physical warfare and should probably be a sub-category of psychological warfare.

So what are the gains of cyber warfare when it’s properly implemented? I’ll organize a few examples into two categories; tactical and strategic gains.

Tactical gains

Forget about website defacement, imagine if one could disrupt satellites and hinder GPS guided bombs, like the GBU-39 Small-Diameter Bomb (SDB) that Israel is currently deploying in large numbers. Better yet, imagine being able to control those satellites and redirect those bombs to a target of your choice (a hospital or baby formula factory if that’s your style). But let’s not stop there, now that we control the satellites, we don’t just have control of bombs, but to a lesser extent war planes, UAVs, and any other weapon system that relies heavily on GPS positioning.

Imagine compromising the enemy’s C4ISR infrastructure and not only knowing where all enemy assets are, but having the ability to provide false information (if at least a few times before being discovered).

Crippling the network of a carrier group would be a punch to the solar plexus, which would allow for a follow-up attack, such as a swarm attack or suicide attack by aircraft and small watercraft. The combination of the two less-conventional and relatively inexpensive attack methods stands a good chance of forcing the carrier group to disengage until they can repair damage, replace assets, and restore their data network. This kind of ‘more bang for your buck’ is one of the key advantages of cyber warfare.

Note that neutralizing a carrier group borders on strategic, as these are key assets in any expeditionary force of modern warfare.

Strategic gains

Nearly all national economies are tied to the Internet and utilize a computer network of some sort. A concerted, long term disruption of these systems could seriously impact the enemy’s economy. Cyber attacks on oil bourses, stock exchanges, etc could reduce the ability of a country to generate revenue and fund their campaign. This could also help subvert the peoples’ hearts and minds, turning the populace against the war effort.

Cyber attacks on key industries could disrupt a country’s ability to produce weapon systems. For example, if an enemy were to continuously disrupt or outright destroy data and information systems for Northrop Grumman, they could have a severe impact on the production of UAV’s, which the US military as come to heavily utilize.

Theft of military and industrial secrets could provide a needed boost to a state. Just look at China, one of the leaders in emerging cyber warfare and certainly adept at espionage.

The list goes on; electrical grids (collateral damage to industry, economy, etc), cell phone grids, nuclear power plants (destruction of which would also be a physical attack), commercial shipping entities, etc.

Cyber warfare has huge potential and we’re only seeing the earliest stages of it now. As its effectiveness develops and as the world embraces ‘teh intarwebs’ we’ll begin to see a whole new way to wage war by smaller and smaller players, both state and non-state.

One of the best features of Postini is the ability to write custom content filters. I leverage these to snipe spam that Postini doesn’t catch. One of my most effective (24,000+ caught in 42 days) is a filter I’ve titled ‘invigorate:’

This will catch anything with either “viagra” or “cialis” in the subject line and a hyperlink anywhere in the body.

Sometimes the simplest things are the most effective.

This year we’ve had to take a chainsaw to our security budget and jettison literally everything except maintenance upkeep.

This presents a good opportunity to go through and clean house. One of the things I’ve started is to bring all appliances to the same software version, across the board. Another thing I’m doing is auditing configs and ensuring all security devices and appliances are syncing time and are all on GMT time zone, which makes event correlation much easier across disparate devices.

I’ve also been tuning HIPS rules and looking for places to be more creative with protection (like web browser protection rules).

This is also a good time to audit OS patching mechanisms, insuring that all hosts are checking in, downloading and installing all updates, etc. The same goes for your AV software.

Lastly, this is a great opportunity to either audit existing policies are start implementing new ones. One of the biggest hurdles in implementing policies is the flaming, bureaucratic hoops that have to be jumped through in order to get a policy implemented. Now that we have no money to purchase new gear, I can focus more time on that.