First detected last October, the Conficker worm has since infected over eight million computers worldwide. Derek Brown, security researcher at TippingPoint DVLabs, talks about the worm and strategies companies can take to secure the network.

Brown says there is no singular significance to the blended threat of Conficker, but the issue is that Conficker has become so pervasive that it exploits vulnerabilities in software.

THE Conficker/Downadup worm appears to spread throughout vulnerable networks through a blended attack vector. Although the worm was initially successful in generating infections on unpatched Windows machines, once inside the network the worm can either self-propagate through brute force password guessing, or trick users with portable storage devices into running an executable program.

There is no singular significance to this blended threat, but the issue is that Conficker has become so pervasive due to its eclectic infection strategy that

it exploits vulnerabilities in software.

The presence of unpatched machines in a corporate intranet is often the only security hole that a worm or virus needs to gain a foothold in the network infrastructure. That’s why security administrators must be both diligent and vigilant when it comes to patch management.

Malware authors have come a long way. The most successful worms – success in this context refers to a measure of gross infections over time – now rely on multiple attack vectors to ensure fruitful propagation. Remember the Nimda worm? By some accounts, Nimda is the most widespread computer worm in the world – a mere 22 minutes after its release.

Nimda spread throughout the Internet rapidly by placing copies of itself on otherwise innocuous Web sites and by exploiting a collection of directory traversal vulnerabilities in Microsoft’s Internet Information Services Web server. Conficker raises the stakes by adding brute force password enumeration over mounted server message block shares.

When Conficker attempts to brute force passwords on the host, the IPS can be configured to block further attempts. The threshold on the block reaction from the alerts may need to be tuned by the IPS administrator.

But Conficker has another ace in the hole: it can gain entry to a network by hitching a ride on an infected portable storage device.

Another leg of this blended attack relies on users’ familiarity with the Windows Autoplay menu. By default, the auto-run feature in Windows is enabled for all removable devices. If an infected portable storage device is introduced to a computer with auto-run enabled, then the worm will add an Execute option to the familiar pop-up menu.

Why would anyone knowingly give this worm access to their system? Because the malware author has disguised the Execute option to appear as a simple folder browsing action – right down to the familiar folder icon. Of course, the most effective means of preventing infection from this vector is to prudently restrict the use of portable storage media inside the network. Then again, it certainly wouldn’t hurt to disable the auto-run feature on your Windows machines.

From the standpoint of the network administrator, Conficker is a virulent nightmare. For the security researcher, it’s still a nightmare, but an interesting one. As malware authors become more savvy, we will continue to see sophistication in the methodology of worm infection. The blended strike approach illustrates the importance of securing the network against malicious traffic and offensive activity, exemplified by a best practices strategy.