Zeus, Koobface, Conficker: How to put up a fight

Cisco Systems Inc. highlighted the top security threats of 2009 by presenting Cybercrime Showcase Awards as part of its Annual Security Report released Tuesday.

Two positive and two not-so-positive categories were included. Awards went to the Conficker Working Group for the “Cybercrime Sign of Hope” and Washington Post journalist Brian Krebs as the “Cybercrime Hero.”

Zeus and Koobface won the “Most Audacious Criminal Operation” and “Most Notable Criminal Innovation” awards, respectively.

Threats like Conficker, Zeus and Koobface may be audacious, notable and innovative, but traditional tried-and-true methods of defence continue to be the best means for fighting back. 

The top three technological things enterprises can do to protect themselves are “basic, tried-and-true, dyed-in-the-wool” solutions, said James Quinn, senior research analyst at Info-Tech Research Group Ltd.

“They are not sexy, they are not fancy, they are not revolutionary,” he said.

In almost every case, the big threats that come along are those that are associated with known vulnerabilities, Quinn pointed out.

Conficker, for example, was an attack that leveraged a vulnerability that had been reported, he said. Zeus was the same, he added.  

“These are problems for which a protection mechanism already exists before the problem came along … there are patches for the vulnerabilities in advance,” he said.

The first thing organizations can do to protect themselves from such threats is to patch rigorously and regularly, Quinn suggested.

“Application patches is the single thing – the most important thing – that organizations can do. Patch, patch, patch … it can’t be said enough,” he said.

Quinn’s second suggestion is ensuring that anti-virus tools are up-to-date.

“As long as the tools are up-to-date and they are pushing the definition updates to those tools on a regular basis, again, the organization is going to be in a position that is going to be well protected from contracting any threats,” he said.

Even if you do contract the threats, you’re still going to be well protected in terms of recovering from them, he noted.

Malware includes tools that block access to security vendor Web sites, Quinn pointed out. This means infected machines are unable to get updates across the Internet in order to download the patches and definition files that will get rid of the problem, he explained.

But they don’t have the ability to block internal distribution of virus definition files, he said.

“The company can still push the virus definition to my desktop via a central server … so making use of a dedicated, centrally managed anti-malware solution and keeping the endpoints up-to-date is absolutely the second thing organizations should be doing,” he said.

Quinn’s third suggestion is to restrict administrator privileges on endpoints so end users are unable to install software.

“If we restrict end users from having administrator privileges, they cannot inadvertently install malware, they can’t install the Trojans, can’t install the rootkits,” he said.

These three solutions “have been the answer to malware for as long as malware has been a problem,” noted Quinn. “Unfortunately, they are just not followed.”

Organizations that want to take security beyond the basics should look at content filtering and placing outbound restrictions on traffic via the Firewall, Quinn suggested.

Putting rules in place that restrict what type of traffic is allowed out can prevent a problem from growing to its fullest severity, he said.

“If a device does get infected, it can’t call out to a commanding control centre to pick up the rest of the of the malware package. It can’t call out to a botnet to be controlled,” he said.

Content filtering works the same way, said Quinn. A lot of malware starts of by installing a piece and then calling to an external site to download the rest of the attack, he explained.

With content filters in place that restrict what outbound connections are allow, an organization is going to be in a position where that problematic code can’t be brought back inside, he said.

Education should be a key focus for enterprise IT departments as they prepare for upcoming threats, according to Henry Stern, senior security researcher at Cisco. “User education is absolutely critical for IT departments,” he said.

Stern also suggested enterprises deploy network intrusion prevention devices and firewalls “that are tuned for detecting infections on their networks so they can begin remediation as early as possible before damage has been done.”

Cisco’s firewalls have a botnet traffic filter, which is designed to intercept communications like commands and data exfiltration, he noted. “Something like that is able to help stop the information from leaking out of your company in the first place,” he said.

Cisco is also cautioning finance departments to be particularly careful with their computers to make sure they are not infected, noted Stern.  

He suggested “possibly even going so far as to use virtual machines or separate computers altogether for accessing the financials [or] their accounts at financial institutions to prevent gangs such as those who use Zeus or Clampi from attacking their corporate accounts.”

Microsoft Corp. facilitated and led the Conficker Working Group, an industry collaboration announced in February this year. While the threat has since receded, Microsoft did offer a couple points of advice on how enterprises can continue to protect themselves. 

“Microsoft continues to urge customers to follow our guidance and update systems with MS08-067, clean systems that are infected and implement stronger security procedures in accordance with their organization’s security policies,” stated a Microsoft spokesperson in an e-mail interview.

The company also “continues to encourage customers to follow the ‘Protect Your Computer’ guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software.”

“As some Conficker infected machines may not be able to reach certain related assistance sites, customers may need to use alternate, non-infected hardware or Microsoft’s PC Safety Hotline for resolution,” stated the spokesperson.

Anyone concerned about Conficker can visit microsoft.com/protect for more information and free support, she suggested. Customers in the U.S. and Canada can call the PC Safety hotline at 1-866-PCSAFETY.

Follow me on Twitter @jenniferkavur.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now