The security community is abuzz with reports that the Conficker/Downadup worm, previously observed to propagate via exploitation of the MS08-067 vulnerability, has infected as many as 8 million machines worldwide. It would appear that this particularly nasty piece of malware is spreading throughout vulnerable networks via a blended attack vector. Although the Conficker worm was initially very successful in generating infections on unpatched Windows machines, once inside the network Conficker can either self-propagate via brute force password guessing or it can inadvertently be spread by tricking users with portable storage devices into running an executable. Strictly speaking, there is no singular significance to this blended threat; but therein lies the crux of the issue. The Conficker/Downadup worm has become so pervasive due to the eclectic infection strategy that it exploits!

Exploitation of known vulnerabilities in software has been the mode of infection of choice since as far back as the days of the venerable Morris worm. The presence of unpatched machines in a corporate intranet is often the only security hole that a virus or worm needs in order to gain a foothold in the network infrastructure; it is for this reason that security administrators must be both diligent and vigilant when it comes to patch management. TippingPoint customers are insulated from this particular strike by the collection of MS-RPC filters that encapsulate the MS08-067 vulnerability, which are enabled in the IPS by default. Unfortunately, malware authors have come a long way since 1988. The most successful worms, success here is a measure of gross infections over time, now rely on multiple attack vectors to ensure fruitful propagation.

Remember the dramatic and much publicized spread of the Nimda worm? By some accounts, the promiscuous Nimda was already the most widespread computer worm in the world a mere 22 minutes after its release! Indeed, Nimda spread throughout the Internet rapidly by placing copies of itself on otherwise innocuous web sites and by exploiting a collection of directory traversal vulnerabilities in Microsoft's IIS web server; Conficker raises the stakes by adding brute force password enumeration over mounted SMB shares. However, Conficker has another ace in the hole, as it were, in that it may also gain entry to the network by hitching a ride on an infected portable storage device.

The third leg of this blended attack relies on your users' familiarity with the Windows "Autoplay" menu. By default, the autorun feature in Windows is enabled for all removable devices; if an infected portable storage device is introduced to a computer with autorun enabled, then the worm will add an "execute" option to the familiar pop-up menu. Why would anyone knowingly give this vile little bugger complete access to their system? Because the malware author has disguised the "execute" option to appear as a simple folder browsing action - right down to the familiar folder icon! Of course, the most effective means of preventing infection from this vector is to prudently restrict the use of portable storage media inside of the network; but it certainly couldn't hurt to disable the autorun feature on your Windows machines, either.

From the standpoint of the network administrator, the Conficker/Downadup worm is a virulent nightmare. For the security researcher…well, it's still a nightmare, but it's a darn interesting one. As malware authors become more savvy we will continue to see sophistication in the methodology of infection employed by their worms. If nothing else, the blended strike approach illustrates the importance of securing the network against not only overtly malicious traffic but against covertly offensive activity, exemplified by a best practices strategy, as well.