Back to qualys.com
77 posts

Conficker Worm: 30% Still Infected

Qualys estimates that about 30 percent of Windows-based computers remain vulnerable to infection because they have not been updated with the patch.

Methodology

In December 2008, Qualys' customers performed scans on over 9 Million IP addresses. There is some duplication as some customers scan multiple times in a given month, but the majority of customers are on a 30 day cycle in their scan schedules. The majority of these scans are against Windows machines as they are the most prevalent in our customers' networks. It is safe to say that data is based on Millions of IP addresses scanned.

Conficker Worm Explained

What class of virus is it and have you seen something like it before?
This worm is a sophisticated piece of software, beyond exploiting MS08-067 it uses a number of other techniques to propagate, i.e. network shares and removable media such as USB thumb drives. It has a variety of interesting mechanisms to trick the user into executing it, such as changing the icon and message in the autorun dialog. It also uses an innovative way to assure that its control channel, where it receives its commands from, is not shutdown. It contacts a large number of dynamically named URLs for commands, making it harder to shut down the worm down. It is definitely a intelligently designed worm, demonstrating that worm writers are constantly innovating to keep their business moving.
 
Why is it so pervasive when the vector was supposedly patched by Microsoft?
Our scanning data indicates that many machines are not patched yet, even 2 months after the release of the patch by MSFT. We derive our numbers from enterprise customers and SMB, but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection.
 
Is the security community responding fast enough to the threat?
The security community is doing excellent work around that vulnerability and the exploiting worm. But overall IT is not reacting fast enough, as our data reveals and as can be seen by the extent of the damage that the worm is doing. Patch cycles have to be accelerated. Machines that require longer patch cycles (due to their criticality) need to have additional security settings and/or technologies installed that can help mitigate the effects.

In general, we suggest providing general comments to the above questions hinting towards the patching data only to substantiate your claims since the last comments we provided him were very data specific.

Analysis of Critical Microsoft Patches in the Second Half of 2008

MSFT-Patch-Trends-08-PII.png

During the year-end slowdown Qualys analyzed anonymous data captured by us during our global vulnerability scans. The analysis focuses on critical Microsoft patches published in the second half of 2008 to reduce the initial dataset.
 
Within the 20+ patches we can clearly see three distinct groups with different occurrence profiles:
 

  • The first group contains the major Windows operating system and Microsoft Office vulnerabilities, with Office being the clear leader with a frequency of up to 25 % more than Windows OS patches.
  • The second group are less frequently installed components in both Windows and Office, such as Office document filters (i.e. MS08-044) or VB runtime components (MS08-070) – they have less than 30% of the occurrence frequency of the first group.
  • At a distant third, we see vulnerabilities in specialized parts of the operating system – the SNA communications connector (MS08-059) and the Windows Media encoder (MS08-053). These make up less than 2% of the overall mix.
  • As a general trend, after about 30 days the majority of systems have the patches applied and the fix rate then slows down. This applies to all groups, even the comparatively low frequency group three follows this pattern of initial activity.
  • On a side note group three also contains the only vulnerability that was limited to Windows Vista – MS08-075 – giving us an indication of the low numbers of deployed Vista installations in enterprises.

Conficker Worm: Patching is Not Fast Enough

In our statistical data for MS08-067 we see it being patched at about the same rate as other critical patches. Over 50% of all machines are patched after approximately 30 days. After that period we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing.  Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later.

We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching.

Patch Tuesday: December 08

This vulnerability in Microsoft SQL Server product is highly critical as it allows the attacker to remotely control the database and the underlying server. DBAs should immediately review the work-arounds provided in the advisory and implement them as soon as possible. MS SQL-Server is a highly popular product as we have seen in April of this year, when a SQL-Injection vulnerability that specifically targeted MS-SQL server driven websites was used to redirect users to websites serving malware. The effects of this attack are still out on the internet, as we can still see sites that have fallen victim to the attack and that have not been restored to an exploit free state.

The potential exists for leakage of private data and major disruptions in critical MS SQL driven applications, such as e-commerce and HR. On the positive side we believe that companies have aggressively firewalled off their MS SQL server from being accessible directly on the internet after the traumatic Slammer worm in 2003 which should provide some protection from direct attacks. However a smart attacker can easily pair this exploit with another attack mechanism such as phishing to get behind the corporate firewalls and then attack all accessible MS SQL server installations.

We expect that Microsoft is currently working on patch and will release it out of band. Differently from the recent release of the Internet Explorer patch the deployment will be slow. MS SQL is part of the core server infrastructure of many enterprise companies and is subject to lengthy patch and testing cycles and before any such fix can be deployed.

IE7 Exploit: MS Releases Out-of-Band Patch

As we expected Microsoft is releasing an out-of-band patch tomorrow 12/17 for a critical Internet Explorer 7 vulnerability. The browser flaw had been disclosed roughly one week ago as a zero day vulnerability and active exploits have been around the internet for that timeframe as well. The work-arounds provided by Microsoft were very technical and quite cumbersome to implement making it imperative for Microsoft to release a fix as quickly as possible.

Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer we have seen one of the fastest turnarounds possible. Moving faster would require having specific mechanisms in the base code of the application allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products.

November 2008: MSFT Patch Release Trends

msft_patch_release_trends.png

In the past month November, Microsoft released only 2 Security bulletins, both of critical severity. However in late October, MSFT released a fix for potentially very exploitable vulnerability (MS08-067 RPC Server) out-of-band, in itself already an indication of its high severity and its potential to develop into an aggressively replicating worm. We took a look at patching trends related to this publicized vulnerability.

Specifically, we monitored between 200,000 and 300,000 scans per day. The graph above shows the trends.

Customer Patching Trends
We have used our vulnerability statistics capabilities to track the evolution of the vulnerabilities to see how Microsoft customers apply these patches.

  • Unfortunately, no. The emergency patch (MS08-67) didn’t show erratic  reductions in occurrences of vulnerabilities and it appears customers were  patching at a normal rate.
  • However, for the last week we see a fairly rapid reduction in  vulnerability numbers indicating that after a large scale worm was announced  and confirmed (Trend Micro mentions over 500,000 machines infected, Symantec  mentions major activity in their honey nets), customers are stepping up their  patch activity.
  • Over the last month and a half we have seen the occurrence of MS08-067 drop from a high value of 8 to close to 2 this week, and overall 70%  reduction.

MS08-067, 68 and 69 Trends
PLEASE NOTE: The information below is based off normalized data, the Y-axis represents the number of vulnerabilities identified / total number of scans. The X -axis represents the dates. Normalizing the data was required in order to fairly represent the data in a graphical form. If you use the graphic, please attribute to Qualys.