The Conficker.C worm is expected to strike April 1 and detection tools are available. At the same time, security vendors are going into overdrive to ride the wave of publicity to get their brands and products exposure. While Conficker is serious, separating reality from hype proves difficult.
When the clock strikes midnight tonight, Conficker.C—the worm on everyone’s mind for the last week—will phone home for new instructions, kick into overdrive, steal every piece of data it can find and—if you believe the hype—destroy the Internet as we know it.
Well, at least that’s what the hype machine would have you believe. Security vendors and their PR firms have gone into overdrive, using Conficker as opportunity to hock their wares and services. The level of static and hyperbole has been so high that one vendor, Symantec, even went as far as to state that Web surfers looking for information on Conficker could expose themselves to infection.
Before getting into the hype, let’s dispense with the realities.
The reality is Conficker.C—the anticipated new variant of the worm first detected in November 2008, is expected to activate, update and begin infecting a new wave of vulnerable PCs around the world. While there’s near universal agreement that Conficker is a serious threat, security experts disagree over the severity or how widespread the threat will be should the worm active 1 April, as predicted.
What makes Conficker potentially dangerous is that variant C is likely to have nearly 85 percent new code, making it nearly transparent to conventional pattern-matching anti-virus and malware detection scanners. And because it will update with new instructions, some experts believe heuristics engines may have a difficult time determining its malicious intent.
The Department of Homeland Security has released a tool for detecting the Conficker worm. Additionally, several vendors have released free tools for detecting and removing the worm.
Virus and malware researchers at ICSA Labs, an industry standards based organisation that certifies anti-virus and security software applications, offers this advice for preventing Conficker infection:
1. First the advice – get all the latest security updates from Microsoft for your operating system. This is important to do, not just for this incident but as a regular part of your computing experience.
2. Install and/or update all your security products to their latest levels and make sure it is working properly. This could include anti-virus, anti-spyware, firewall, etc.
3. The Conficker is not going to take over the world on 1 April. The most recent variant is designed to do something on 1 April, which most likely will be to contact one of the 50,000 or so URL’s it creates. This is the outcome of the best research in the world on this worm. No one knows for sure what it will actually do, if anything.
4. This worm is no more dangerous than any other malware in-the-wild. The Conficker stands out because if tries to use USB devices as a medium for infection.
5. Don’t Panic. If you have updated your operating system and security software you should be safe.
ICSA advice is sage, particularly the part about “don’t panic.” The world has lived with self-replicating, self-propagating worms for years. The following is a sampling of some of the statements security vendors and services have made in their press releases.
>> “Conficker’s DDoS capabilities are a side-effect of its proliferation and update capabilities. However, Conficker’s author(s) could weaponise this botnet at any time and launch massive DDoS attacks. We’ve recently seen the number of domains that Conficker can attack in a day grow from 250 to 50,000, and Prolexic has taken the necessary steps to protect its customers from the potential damage that could occur should one of the targeted domains be theirs.”
— Paul Sop, Chief Technology Officer at Prolexic
>> “Personal information is way too valuable to be left on home and business computers unprotected. It should be digitally shredded or encrypted, if saved. Identity Finder is unique, affordable software that prevents identity theft by finding and protecting sensitive data on PCs – the very data targeted by these attacks!”
— Identity Finder press release following a 60 Minutes report on worms
>> “The outbreak of the Conficker worm spotlights why organisations need to keep their AV and Windows patches up to date, and identify systems that may be compromised. One of the most effective methods of preventing damage from malware is to use Network Access Control (NAC) to ensure compliance, isolate infected systems, and repair systems as needed. By keeping endpoints healthy and authorising access to the network, NAC can ensure the network is free of worms like Conficker.”
— Stacey Lum, CEO and CTO of InfoExpress
Not all press releases are designed to put their issuing companies on the wave of publicity of the Conficker worm. Microsoft, for instance, didn’t mention any of its products, but rather issued a £175,000 reward for information about the Conficker author and details about its collaborative efforts to develop tools to identify and stop the worm.
For solution providers, Conficker and similar security events are an opportunity to engage with customers about their security policies and practices. But the lesson coming from the Conficker wave of hyped publicity is contain the message to the essentials, work the problems and vulnerabilities associated with malware. Fear, uncertainty and doubt (FUD) about potential security threats only leads to uncertainty about the messages delivered by security vendors and their solution provider partners.