Network News

X My Profile
View More Activity

Why Web Site Security Matters to Us All

For the past several months, some of the sharpest minds in the security community have teamed up to block cyber criminals from wresting control over what may be one of the largest armies of hacked computers ever built. While those efforts are ongoing and so far appear effective, all of that work could be undone thanks to the lax security of a single Web site.

The scourge in question is the Conficker worm, a contagion that has infected tens of millions of Microsoft Windows machines since its birth in November. Experts figured out early on that Conficker was a two-stage threat because it tells infected systems to contact a list of 250 different domain names each day. If just one of those domains is registered by the virus writer, the thinking goes, it could be used to download an as-yet unknown secondary component to all infected systems, such as malicious software or spamming instructions.

As a result, this so-called Conficker Cabal of researchers and policymakers set about registering or otherwise reserving those domains that the Conficker-infected systems will seek for several months into the future, thereby preventing the Conficker authors from updating infected systems with the real payload.

Still, the cabal couldn't register all of those domains. In fact, many of them happen to have already been registered by (apparently legitimate) individuals or businesses. I bring this up because earlier this week, experts began raising the alarm that millions of Conficker-infected systems on March 13 would begin seeking updates from wnsux.com, a domain owned by Southwest Airlines. As speculation began to swirl around whether this might create problems for Southwest's Internet servers, the airline opted for the simple approach: effectively closing down the domain, if only temporarily.

But this scenario will play out many more times over the lifespan of this malware family, and experts expect it to remain a threat for years to come. Just because these domains are already registered or in use by seemingly legitimate businesses and individuals doesn't mean those domains are useless to the criminals looking to regain control over millions of Conficker-infested systems.

The reality is that those crooks would need only to find a single security hole in the software used to power those Web sites. At that point, they could then plant the update and the special encryption key needed to trigger that update in Conficker-infected systems that visit the site on the appointed day.

Hopefully, the cabal will continue to reach out to the owners of the domains that are already registered and ensure that any security holes are sewn up before those sites are sought out by the Conficker botnet. To me, this illustrates how vital it is that all Internet users -- even those who operate seemingly obscure Web sites -- understand the role they can play in helping to keep the Internet out of the hands of the bad guys.

Update, Mar. 8, 5:46 p.m. ET: As many in the security community have feared for some time now, a new version of Conficker has been detected that tells infected systems to seek updates from not just 250 potential domains but 50,000 different domains each day. More on this variant from Symantec.

By Brian Krebs  |  March 6, 2009; 11:06 AM ET
Categories:  From the Bunker , Web Fraud 2.0  | Tags: 2.0, conficker cabal, web security, worm  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Twitter Security Hole Left Accounts Open to Hijack
Next: Users Complain of Mysterious 'PIFTS' Warning

Comments

Just in case you're not depressed enough from reading that:

https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

The Conficker Cabal was scrambling to lock down 250 domains a day. Now they have 50,000 a day to worry about.

Posted by: AlphaCentauri | March 7, 2009 10:09 AM | Report abuse

Brian,
Always enjoy your posts - find them very informative. I wonder why, however, you don't include the 'Tool Box' in your posts.
Many times I would like to share your info by e-mail but am unable to do so.
Steve

Posted by: stevel1 | March 9, 2009 12:51 AM | Report abuse

Scrawlr 1.0 -- a freebee download from HP is suppose to examine websites for threats.

WHAT SAY YOU about this free tool and are there any other FREE TOOLS useful in examining web sites?

Posted by: brucerealtor@gmail.com | March 9, 2009 3:47 AM | Report abuse

@Brian, you overlook a powerful force multiplier in DNS exploits. The bad guys just need to subvert DNS entries for the "phone home" addresses and their 'bots get right past the Conficker Cabal countermeasures. Even if it doesn't get all the compromised systems it will get many of them updated.

@brucerealtor, I believe Scrawler examines websites for SQL injection vulnerabilities. I have yet to use it or any of the many other free SQL injection assessment tools that a quick web search discovered, but it would be a good idea to do such assessments. Note that it's a good idea to vet such tools before use, you don't want one that's unreliable or even worse malicious! Also, remember that none of them will cover everything, and SQL injection is just one of several serious concerns, but at least it's a start.

Posted by: bruce_mcculley | March 9, 2009 12:26 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company