Conficker - a whole lot of bother about nothing?

Opinion by draywood

Over the last week there has been one topic of conversation – the Conficker worm.

Over the last week there has been one topic of conversation – the Conficker worm.


The coverage of this particular worm has led me to one conclusion, is the author simply looking for publicity, and is he/they planning to do nothing at midnight tonight? After all, the object of the likes of the Melissa and ‘I love you’ viruses were to cause annoyance to the recipient as it launched a denial of service attack, gaining maximum publicity for the author.


It is without doubt that Irene and Onel de Guzman and David L. Smith achieved levels of notoriety, but could the author(s) of Conficker be set to overtake them by miles?


After all, metres of coverage has been dedicated to coverage of Conficker and what could possibly happen at midnight tonight, as well as advice on what it is, how to protect against it and why this is all a huge storm in a teacup.


To follow procedure though, I have been looking at some of the blogs around the security arena to gauge the various opinions of the worm, and there is a general consensus that not a lot is going to happen.


US-CERT encouraged home users to apply a simple test for an infection, and offered links to the Symantec, Microsoft and McAfee websites – as ‘if a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection’.


What about the array of expertise from across the industry, what are the opinions from the CEOs and security researchers, and are they saying anything remarkably different from each other? Here are some highlights that I have found over the past few hours:



Mary Landesman, senior security researcher at ScanSafe - "I you want to prevent that worm just install the MS08-067 patch and disable autorun the proper way. But really, while Conficker may be a very noticeable in-your-face headache, the malware we should be most concerned about are the surreptitious and hugely increased numbers of data theft Trojans being delivered via compromised sites." 



Stacey Lum, CEO and CTO of InfoExpress - "The outbreak of the Conficker worm spotlights why organisations need to keep their anti-virus and Windows patches up to date, and identify systems that may be compromised. One of the most effective methods of preventing damage from malware is to use Network Access Control to ensure compliance, isolate infected systems, and repair systems as needed.  By keeping endpoints healthy and authorizing access to the network, Network Access Control can ensure the network is free of worms."



Randy Abrams, director of technical education at ESET – "There is a lot of talk about the Conficker worm. A worm that ‘triggers’ on 1st April, except it doesn’t really do too much that is special or of importance to most users on 1st April.  Highly irrational thinking, concerning the Conficker worm is rampant. People see the hype and start to focus on “How do I know if I have Conficker and how do I prevent it?” when the rational approach is how do I make sure I am not infected with anything and how do I make sure I don’t get infected? There are far worse problems out there than Conficker and if you only focus on Conficker then you are diverting attention away from truly being secure.

"On the 1st April your computer is not going to melt down due to Conficker. The only thing that Conficker is going to do on 1st April is re-route communications links between Italy and France causing worldwide pizza orders to be delivered with snails instead of pepperoni. OK, if I said that on 1st April you would have known it is a joke.


"Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security."



Nicolas Brulez and Elad Sharf, security researchers at Websense - "Given the industry efforts to mitigate this problem, one of the obvious predictions is that the worm's authors will try to preserve the number of infected bots as much as possible. One of the potential options is to actually update the worm to download instructions from compromised websites. This move could actually disrupt the Cabal group efforts, since it's easier to stop the registration of new domains, and harder to take down and stop compromised domains with good reputations.


"We also predict that Conficker will re-start and continue propagation through a spam based mechanism. If they're indeed a China based group they'll need some Western-based connections to commit cyber crimes more effectively. Establishing these connections is what we suspect they have been doing in the meantime. 

"Conficker is a large botnet that has a lot of potential to do harm. It hasn't happened just yet, and most security vendors predict it won't happen necessarily on 1st April, and we agree. However, the bot gives its perpetrators a lot of power, and at some point, we believe, that Conficker will do something "bad" on infected machines like, stealing data, sending spam, issuing DDOS attacks, and more."



Christopher Budd, security response communications lead for Microsoft - "While any malware attack is cause for concern, customers who continue to follow the guidance we’ve always given, such as: apply security updates, update security software signatures and clean infected systems, should look at the latest version of Conficker like other malware attacks: a manageable cause for concern."


Joe Stewart, senior researcher at SecureWorks – "The truth is, there will be no 1st April outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on 1st April is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?"



Alex Eckelberry, CEO of Sunbelt - "All that happens on 1st April is that Conficker’s next stage goes into place on already infected systems.  This does not mean masses of new users will be infected.  This seems to be the confusion. Nevertheless, Conficker is being really hyped as something terrifying on 1st April. It's true that ‘something’ will happen on 1st April, but you need to be infected first with the worm for this event to affect you. If you're not infected, nothing will happen."


If you are still worried, you could visit anyone of the above bloggers’ websites for advice, or check Dave Hartley’s extensive evaluation of the worm, which is featured above this post. Obviously only time will tell, but with a consensus giving advice not to panic, I can’t help feeling that waking up tomorrow will bring little concern and a Y2K-esque, ‘what was all the fuss about’.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events