2 key steps to preventing a Conficker worm infection

Though it first appeared nearly four years ago, the Conficker worm is still a significant security threat, according to a recent report from Microsoft. Here’s how IT departments can protect their organizations. 

Microsoft first released a patch to protect Windows machines from Conficker way back in October of 2008. But since then, new versions of the worm have appeared, and the threat attacked an estimated 1.7 million computers in the fourth quarter of 2011 alone, according to a recent Microsoft Security Intelligence report.

In its current state, Conficker uses a variety of methods to spread itself, including:

  1. using compromised log-in credentials to create a scheduled task on an infected computer to re-infect the machine at regular intervals, and
  2. using a malicious Windows autorun file to run a Conficker executable file.

Conficker poses a big threat to organizations, Microsoft researchers say, because the worm exploits file sharing capabilities to spread itself, giving the threat a lot of staying power on corporate networks. Machines that have been cleaned can quickly become reinfected by connecting with another infected computer.

For the report, Microsoft examined a number of attempted attacks detected by security software to determine the most effective ways to prevent a Conficker infection.

One recommendation: Improve password and credential policies. Most (60%) of the detected incidents involved credential-based attacks in which the worm used a built-in list of common and weak passwords to gain access to system resources.

According to the report, IT administrators should use Active Directory Domain Services — as well as written policies and user training — to enforce and encourage complex passwords. That’s also good for protecting against other kinds of attacks, of course.

Another key: promptly installing security patches. According to the study, 20% of the attacks exploited a software vulnerability that was patched in 2009. Making sure all machines are kept fully patched is critical to preventing attacks, especially those like Conficker that can easily spread across an entire network from one machine.