Larry Seltzer has always been one of my favorite commentators on PC security, and this week he has written one of the best articles I’ve read in a long, long time. Here’s a sample from Malware is Getting Formidable, But So Are Your Defenses:
You can think of Conficker as being the state of the art in conventional malware. It not only uses an important vulnerability, but it’s a sophisticated blended attack, using a wide variety of mechanisms to spread: pseudo-random domains, dictionary attacks on weakly-protected network shares, USB drives, and more. You can admire the work that went into developing Conficker once you get past the amorality and greed that inspired it.
But there’s nothing that it does that you can’t protect against with best practices. Almost everyone that was hit by it was running a version of Windows XP that hadn’t been patched in many months. And even if you ran no anti-virus at all, least-privilege, updated software versions and a few other little things like a good firewall would block most of the ill effects of Conficker and most other malware and prevent them from becoming permanent on the system.
I noticed last week that several publications were trying to whip up some hysteria over the Conficker worm hitting on April 1 and causing a security tsunami. Maybe. I’ve only been following the Conficker fuss out of the corner of my eye so I can’t really speak authoritatively on it. But those stories didn’t ring true to me, and my suspicions were confirmed when I went back to the original source that those reporters were using for their fear-mongering, SRI International’s “An analysis of Conficker’s logic and rendezvous points,” released in February and updated last week.
My understanding is that the patches issued by Microsoft last fall sealed the hole solid. The SRI report seems to agree with that judgment:
The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit.
Later in the same report, the authors note:
Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches.
They also mention that the threat may be worse in countries where Windows is regularly pirated.
As Seltzer writes, “you can get yourself a pretty substantial level of protection by being scrupulous about a number of these important measures, with the most important one probably being least-privileged access.” I agree completely. Set yourself up with a standard user account, use the Windows firewall or a third-party replacement, be aggressive about updating your system and all important applications (Office, Acrobat, Flash, QuickTime), and run up-to-date antivirus software.
It’s not rocket science.
Update: for more on the Conficker worm, visit the Microsoft Malware Protection Center.