Conficker worm: Preparation tips for a possible attack

By on
Conficker worm: Preparation tips for a possible attack

Worms like the Conficker worm often lies 'dormant' on systems.

For weeks or months at a time they won't do anything which a conventional anti-virus product would detect as malicious. 

Worms often update themselves automatically, giving an attacker the ability to deliver brand new code to the worm just before launching the attack.

This is why it is difficult to predict what the worm may do on 1 April 1, said Robert Pregnell, senior manager, regional product management of Endpoint Security at Symantec.

"With over 9 million computers already compromised by the worm, this gives the attacker an enormous "army" of computers from which the attack can be launched," he said.

 "While email or other programs on a compromised computer could stop working, this would have little financial benefit to the attacker. 

He said the compromised computers will  be used to conduct a distributed denial of service attack on other systems or organisations, or to send spam or phishing emails to many thousands of other users to gain monetary profit to the attacker.

Pregnell told CRN this worm leverages a common vulnerability which was patched long ago. 

"The high number of infected computers (estimated at 9 million already) is really a graphic reminder of the number of computers which simply have not been patched by running Windows Update as a first-step to ensuring you have adequate defences in place," he said.

IT service providers must ensure its customer's security software has the latest updates for effective protection.

"Ensure the security software provides behavioural and heuristics protection, and intrusion prevention capabilities, in additional to conventional signature-based defences," said Pregnell. 

"Enforce a password policy which requires users to have a mixture of letters, numbers and special characters in their password.

"This prevents the dictionary-based password-guessing algorithm from guessing your password."

Pregnell said 'Do NOT allow' open shares across a network (shares which do not require a password). 

"Worms like Conficker prey heavily on these security weaknesses, giving them the ability to infect other computers extremely quickly," he said.

Nathan Wang, director of technology at Kaspersky Lab APAC said it believes fighting only at the host level, or workstation and server level might not be an effective way to fight against the Conficker worm.

"We do not have any information to predict specific behaviour or tricks on 1 April to fool people," he said.

"At the system integrator level, we advise [service providers] help their customers by installing the right anti-virus program on different layers inside their network.

"They should also help their customers to patch all vulnerabilities, especially those that are Microsoft-related, as it's likely that re-infections will occur."

Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?