5 of 15Image
Conficker: Still botting after all these years
On Thursday, October 23, 2008 (yes, it was "out of band"), Microsoft published MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution. This was one of the really bad ones in that a remote user could gain administrator control of a PC and turn it into a bot. The word went out that it was important to apply the update, but you know how people are; security firm Qualys estimated that in January 30% of vulnerable PCs were still unpatched.
It was almost a month later that the first variant of Conficker, also known as Downadup and which spawned the great Waledac spam botnet, was detected. Conficker was — make that "is" because it's still alive — pretty sophisticated malware. It was capable of updating itself and was one of the principal bots to spread via file shares and USB drives.
In Europe the spread was particularly severe, affecting the military networks in France, the UK and Germany. It spread to over 200 countries and became one of the largest botnets ever.
In fact, Conficker would be blocked by decent firewall rules as well as the update. The fact that it spread so far and still lives shows just how widespread bad configurations are.
Image: The Conficker Working Group
Adobe Flash: Quick! Everyone update again!
The Adobe Flash Player Security Bulletins page shows 101 security updates, fixing some much larger number of vulnerabilities in the product since the release of version 9 a little over five years ago. None of these vulnerabilities was all that more egregious than the others, but the sheer number of them and Flash's weak updating process have meant that there are always large numbers of users who are vulnerable to known Flash vulnerabilities.
One of the most famous and consequential Flash vulnerabilities was used to penetrate RSA (the company) in order to compromise their SecureID two factor authentication tokens. Remediating this problem was expensive and, in the interim, large numbers of high-value customers were exposed.
Adobe has improved the update process, and both Google and Microsoft have (ironically) built Flash directly into their web browsers in order to use their stronger update processes to force Flash updates.
IIS is a sitting duck
Before Microsoft got its security act together, one of their most vulnerable products was one of the most exposed: IIS (Internet Information Server), the web server that comes with Windows. Both the Code Red and Nimda botnets were highly successful in exploiting vulnerabilities simply by sending HTTP requests to IIS servers.
eEye Digital Security employees Marc Maiffret and Ryan Permeh. They named it "Code Red" because Code Red Mountain Dew was what they were drinking at the time.
Code Red was the first widespread use of IIS vulnerabilities and must have been one of the major motivations behind Bill Gates's decision to make security a major priority at Microsoft. Within a few years IIS did a Charles Atlas, going from 90 pound security weakling to the most secure web server available. But at the time, IIS's reputation was deservedly in the gutter.
Nimda was also a pioneer in the use of multiple infection vectors: it could also spread via email, network shares, by surfing compromised web sites, and through back doors left by other bots.