Security Policy 101

Quite a few Security Websites and Media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. Whats noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak Company Security Policys.

Firstly DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000.

For its next trick DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated Autorun.inf file on these drives, so that the Worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file).

And then comes the icing on the cake - It first enumerates the available servers on the Network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm.


So why is this Worm so successful? Simple - poor security policies.

The first propagation technique is really exploiting Poor Patch Management. A patch for this vulnerability has been available since late last year, but still some companies have not properly rolled this out to all machines on their network. Remember even one unpatched machine is enough to have this Worm spread through the entire network. Patch Management is a critical component of any IT departments jobs today, and it is vitally important that it is applied in a timely fashion across ALL of the companies machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. Partner Companies, Contractors, etc). Like so many aspects of Security, it only takes one hole to bring down an entire network.

Autorun malware has been a big problem over the last 6 months, and to be honest, it really should be a non-issue. Quick grab a piece of paper and a pencil. Got them? Great, ok - now in 30 seconds try to write down a single reason why your company NEEDS to have the ability for all Removable Drives and Network Shares to automatically execute code just by viewing them. Its ok I'll wait till you are done...didn't come up with one did you. Let me save you the pain of figuring out the next step - How to disable Autorun (more details here)

Lastly we have the old classic - using weak passwords. You could write a book on how to ensure users use strong passwords (in fact people already have), but to help save your hard earned money during this economic downturn, we've kindly made one available as part of our Safe Computing Guide . Go have a read. After all it would be nice to not have to explain to your boss that every machine in the company is infected because you had picked "123456" as the default password on all of your machines and shared drives.

To quote my favourite sportsperson Roy Keane - "Failure to Prepare, Prepare to Fail"