Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Monday, April 30, 2012

Conficker Malware Remains A Threat

Information Week published an article this week talking about why the Conficker Malware won't die.  It's been 3 years since Conficker was discovered.  Information week reports that Conficker launched 59 million attacks in the fourth quarter of 2011 against 1.7 million PCs.  An impressive number for malware that should have already been eradicated.

The article on Information Week caught my eye, because I recently attended a talk where Conficker was discussed, but not in terms of the malware itself, but how it was discovered.  It was important because the talk was actually about APTs (Advanced Persistent Threats), and how to keep an organization protected from APTs.  Because APTs can come from anywhere and target almost anyone in the organization, it's tough for a single security solution to detect an APT when the threat happens.  So how does one protect against an APT?  The answer is of course, multi-layered defense.  An organization needs to defend not only the web gateway/proxy, but also the router, the workstation, and other network devices.

That leads to the next question, which is how do you detect an APT when it's happening.  And that's where Conficker comes in.  Conficker was discovered by an IT administrator who knew what a normal log looked like and immediately recognized an anomaly in his DNS logs, which led to the discovery of Conficker.  Specifically the administrator saw a spike in DNS requests for hostnames that did not map to IP addresses (Conficker automatically generates hostnames using an algorithm to look for payload servers).

The key here is familiarity with the logs on all your networking devices.  Understand what's a normal day, and recognize when your network devices are producing anomalies, and investigate when these anomalies happen.  Familiarity with your own logs may be the difference between early detection of an APT, and significant data loss.

So even though Conficker continues to haunt corporate networks, it does remind us we need to remain vigilent in security and become familiar enough with our environments that we recognize when something is out of the ordinary.

No comments: