SAN FRANCISCO — With the Conficker worm still squirming worldwide, operating system vendors and security firms should search for lessons in the success of the malicious program, especially its ability to attack the update mechanisms used by Windows and security software while at the same time surviving removal efforts, said two researchers at the RSA Security Conference.

Conficker has a long list of techniques for preventing operating systems from updating and stopping security software from removing the program, Phil Porras, director of the systems security research at SRI International, said during a presentation on Friday. Software makers need to start better hardening their own programs as well, he said.

"Security defenses not only have to be inside the hosts and defending the systems ... but they have to better defend themselves from attack," Porras said.

Earlier this month, the Conficker worm completed its latest update, and infected PCs began downloading new commands to modify how the program functions. The latest modifications to the program — also referred to as Downad, Downadup and Kido by different security companies — reactivated the worm's ability to spread using a flaw in Microsoft Windows and redirected most communications through the program's peer-to-peer network, researchers said.

The latest version of Conficker also employs a broad selection of anti-security technologies. The malicious program cloaks its presence from the user, prevents the computer from going to more than 100 security and patch sites, creates an assassin process that kills almost two dozen different security and update programs, and reconfigures the Microsoft firewall to allow it to use key ports. There is no reason the authors of Conficker would not continue to add to their tool kit of anti-security technologies, Porras said.

"As bad guys build this library to go off and assassinate the defensive technology, (the question is) what sort of technology should Microsoft and other companies put in to make unkillable security," he said.

In an interview following the presentation, security researcher Joe Stewart agreed. He suggested that software companies could learn to make their updates harder to stop by using peer-to-peer networking in the same way that Conficker used peer-to-peer links to update itself when the Conficker Working Group — a group of more than 300 industry researchers attempting to blunt the impact of the worm — blocked access to the Internet rendezvous points.

"They adapted some of our tactics," said Stewart, who works for security firm SecureWorks. "Maybe we have to adopt some of their tactics."

If you have tips or insights on this topic, please contact SecurityFocus.