With all the buzz over the Conficker worm, it remains an open question at this point just how many enterprises will actually be affected.
Between the presence of tools to remove the Conficker infection, a patch for the Windows vulnerability it exploits and general awareness, it seems enterprises should have a good handle on the worm. Whether they do or not may depend on who you ask.
The folks at Damballa, a company focused on botnet detection, said Conficker was far from being a major problem in the typical enterprise.
“We do see Conficker compromises in enterprises, but they comprise a minority of the total number of compromises we see in these environments,” said Tripp Cox, vice president of engineering for Damballa. “The majority is the long tail of smaller botnets.”
Conficker, Cox noted, was neither a targeted nor a “low-and-slow” attack, so existing defenses performed reasonably well.
“Our experience with enterprises has been that they tend to do a good job of patch management, which diminished the propagation effects of Conficker in their networks,” he explained. “What compromises did occur, most enterprises were able to quickly track down based on their noisy, brute-force attempts to guess employee passwords.”
Still, someone was getting infected-at one point, security researchers put the number of compromised PCs at several million. In February, Fortinet’s threat research team estimated there were about 100,000 exploit attempts each day from Conficker. For March, there has been a slight drop in exploit attempts, but Fortinet expects that number to jump back up in April.
“You would have thought that something like Conficker would be a nonevent for enterprises,” said Mark Harris, global director of SophosLabs. “The patch was available early, it should be very straightforward to patch it, it spreads by no password or very, very simple ones … I think the experience that we’ve had over the past couple months is that security policies within organizations are not as good as they think they are.”
Given that it is unknown how Conficker will update itself next, enterprises still need to be on the alert for the worm’s next move. It should be noted though that while Conficker C will begin contacting new domains April 1, the actual update could theoretically be unleashed much later.
“As long as the hacker has not activated any domain, the worm cannot find any active one and thus the return of Conficker will never happen,” Nguyen Tu Quang, CEO of BKIS (Bach Khoa Internetwork Security), said in a statement. “In short, the return of the worm may be on April 1, 2, 3 … or even any arbitrary day, depending on the hacker.”
Quang was optimistic that the efforts of those fighting Conficker-the code of which BKIS researchers say is related to 2001’s Nimda worm-will make a difference.
“We also observe that with their great efforts, Microsoft and Conficker Cabal … have successfully taken control of at least 13 percent [of the] domain names that the Conficker writer may use,” Quang said. “That also means the spreading rate of the worm will be reduced by about 13 percent when it returns.”