Conficker's April Fools Fizzled, But Threat Remains
Security experts selling weapons to ward off the dreaded Conficker warned anyone who would listen that April 1 could be a day of destruction, as millions of infected machines started phoning home for malicious software updates. Of course, not only was April Fool's Day a non-event for Conficker, but now comes news that there are far fewer than millions of systems infected with this version of the worm.
Earlier in the week Security Fix reported that only six percent of the world's Conficker-infected systems are in North America, let alone the United States. On Thursday, the researchers who brought us that news - from Atlanta based Internet Security Systems - published their best guess of how many Windows systems are infected wtih Conficker.C, the only version of the worm that instructs computers to search the Internet and private P2P networks for updates after April 1.
ISS's Holly Stewart writes that the company has tracked about a quarter of a million unique systems infected with Conficker.C since March 26. Stewart notes those figures are conservative, given that ISS can't see all of the Internet addresses in the world. ISS further estimates that the network traffic generated by Conficker.C systems seeking updates online represents about four percent of the malicious traffic generated by malware daily around the globe.
But whatever the number of infected machines, I think one important aspect of this and other date-based threats like Conficker is in danger of being overlooked amid all the the I-told-you-sos and the nothing-to-see-here-move-along type sentiments.
In one sense, the response to Conficker could be compared to that of Y2K: A great deal of smart people threw a whole lot of resources and energy at a fairly complex problem and managed to turn a potentially very ugly situation into a relative non-event.
The same thing could be said of the response to this worm by the "Conficker Cabal," a group of security experts, anti-virus vendors, policymakers and private researchers who teamed together with dozens of governments to blunt this threat.
One explanation for why Conficker was such a non-event may be that the louder a piece of malware is, the more it is going to draw the attention and resistance of the anti-virus community and security researchers. Lawrence Baldwin, founder of Atlanta based security consultancy myNetWatchman, puts it more eloquently:
"Anti-virus products basically suck, with one exception: If the threat is on CNN, you can be sure they have a signature to detect it, because if your product doesn't detect something that's on CNN, you're screwed," Baldwin said. "With a worm like this that's so mysterious and successful, it's almost a self-correcting system, because suddenly everyone is going to focus all of their attention on fighting it."
One problem with over-hyped threats that fail to live up to expectations (as they invariably do) is that they tend to desensitize the average user to more insidious, stealthier threats, Baldwin said.
"The problem is that Conficker is one of a million other active threats, and most of the rest are taking a much more stealthy approach," Baldwin said. "Yes, threats like Conficker can grow to a high enough visibility level that it potentially put us in a position to educate the masses, but by that very same event those threats soon become irrelevant because so much visibility is created around them to mitigate them."
All of that said, the truth is that the threat from Conficker is as real today as it was three days ago on April 1: The worm's author(s) could easily decide to wait until everyone's guard is down to instruct all infected systems to update themselves with additional malicious components, or to attack some target online or start blasting spam.
If you haven't checked, or are still concerned that your Microsoft Windows system may be infected with this worm, the Conficker Working Group has produced a clever Conficker Eye Chart that should help you figure that out. My colleague Rob Pegaroro has put together a primer with resources to help users whose systems may have been sickened with this worm.
April 3, 2009; 9:26 AM ET
Categories: From the Bunker , Latest Warnings | Tags: conficker worm, dud, hype, lawrence baldwin
Save & Share: Previous: FBI: Internet Fraud Rates Rose 33% Last Year
Next: Web Sites Disrupted By Attack on Register.com
Posted by: db16 | April 3, 2009 9:57 AM | Report abuse
Posted by: CB12 | April 3, 2009 11:55 AM | Report abuse
Posted by: wiredog | April 3, 2009 1:11 PM | Report abuse
Posted by: observer31 | April 3, 2009 3:22 PM | Report abuse
Posted by: db16 | April 3, 2009 4:02 PM | Report abuse
Posted by: ABHFGTY | April 6, 2009 9:45 PM | Report abuse
Posted by: db16 | April 7, 2009 7:07 AM | Report abuse
Posted by: BMACattack | April 8, 2009 1:19 AM | Report abuse
The comments to this entry are closed.