nCircle Sync Blog

Protecting Your Enterprise from Conficker

Over the last several days there have been many news reports regarding the size and spread of the Conficker worm.

Note: updated on 1/21/09 to include information from US CERT on AutoRun. See below.

The Knowns

• We know that the malware infects computers not yet patched with Microsoft MS08-067.
• We know that the worm is also spreading via removable media devices and is being helped by Windows Autorun.
• We know that with nCircle products, you can detect the vulnerability and mitigate the risk on your enterprise network.

  Risk Detection

  nCircle IP360 customers have had the ability to detect for vulnerability since the release of ASPL-270 delivered on Oct. 23, 2008 in accordance with our 24 hour Microsoft SLA. This vulnerability is named "MS08-067: Microsoft Windows Server Service RPC Handling Remote Code Execution". By using IP360, customers can easily discover hosts across their enterprises that lack the Microsoft patch. (Hint: Use Focus and search for "MS08-067")

  

  Risk Mitigation
  Public reports indicate that the Conficker worm has already made its way inside enterprise networks. On January 16th 2009, F-Secure estimated over 8.9 million hosts were infected with the worm. In addition to detecting and mitigating the risk, enterprises should also be using centralized configurations to help mitigate the risk. We know that malware has also been spreading by removable media devices. When an infected device moves from computer to computer, the malware launches automatically because of Microsoft's Autorun feature. Sound advice, even when a worm is not on the loose, is to disable Autorun. nCircle customers using Configuration Compliance Manager are able to centrally determine which endpoints lack this configuration directive.
  Setting the Policy Using Group Policy Management
  Open your favorite group policy management tool and navigate to the AutoPlay Policies section. For Windows Vista, the settings can be found under: "Computer Configuration / Policies / Windows Components / AutoPlay Policies". The two policies to investigate are named "Default Behavior for AutoRun" and "Do not execute Autorun commands".

  

  

  
  Using Configuration Compliance Manager

  A number of published standard configurations recommend disabling AutoPlay and most are already bundled with Configuration Compliance Manager. In this example, I will reference the Common Configuration Enumeration for the AutoPlay settings. CCE-44 states that AutoPlay shall be disabled for all drive types. From with the Configuration Compliance Manager, this setting is named "Disable Autorun for all drives".

  

  
  Finally, customers using nCircle Suite360 Security Intelligence Hub have the opportunity to aggregate the findings from all nCircle products to deliver an executive dashboard displaying their current enterprise risk.

  

  Update 1/21/09

  According to a US CERT technical advisory posted on 1/20/09, the Microsoft document on disabling AutoRun are not completely effective.

  Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

  The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.