The Real World of Malware: News from the Front

By Larry Seltzer  |  Posted 2009-03-31 Print this article Print

Malware-cleaning professionals are very aware of Conficker and are seeing it, but not that much. They do see a lot of other malware, which, for some reason, doesn't inspire a media storm.

It's April 1 (at least in some parts of the world) and the Conficker assault has begun. I'm going to assume that few, if any of us have noticed anything as a result. As a further perspective-generating measure, it might be a good idea now to note that there is a lot of real malware out there causing havoc. I may have ridiculed the hysteria over Conficker some, but real people all over the United States and the rest of the world get hit by malware attacks all the time.

It's just about always preventable, but it's definitely real. And there are a lot of malware apps out there spreading rapidly, or at least trying to, and presenting more of a day-to-day threat than Conficker does. Conficker itself is not a small problem, it's just that it's nowhere near as big a problem as it's made out to be.

A friend of mine who is a former hotshot editor and tech guru for major newspapers now makes a living doing computer consulting for consumers and small businesses. His bread and butter these days is malware repair. He's doing at least one a day at $250 a pop minimum. He's asked me to lay off on the Russian gangsters and others sending malware this way because they're keeping him in the lifestyle to which he has become accustomed.

He sees a lot of different malware. Vundo is a common one, as are various rootkits. My friend has even seen some Windows rogue anti-malware attempting to attack Macs. It's kind of pathetic actually; Mac/Safari users are redirected to another site where their C: drive is scanned and Windows viruses are found. Shocking.

He thinks he has seen at most one copy of Conficker in the wild. This is what I've heard from others, at least in the United States. It's hard to tell for sure, but it seems as if the United States is not one of the main Conficker targets, at least not among consumers.

What are the big threats out there? I asked some real anti-malware companies for their latest "Top Threat" lists. Trend Micro makes it easy with these malware maps and top 10 charts. The list is largely populated by variants of Vundo and MAL_OTORUN, a series of worms that wrote themselves to Autorun.inf files long before Conficker was acclaimed for inventing the technique by people who don't follow malware, except when it's covered in The New York Times.

Kaspersky has a similar, but more complicated story. Conficker has been in their its top 20-30 detections for the last couple of days and, according to Roel Schouwenberg, senior anti-virus researcher, accounts for "... a little less than 1 percent of our daily signature detections." It's not clear that this is a true measure of its impact since Kaspersky has had very good detection of Conficker, as probably have all of the top anti-virus companies. It's not their customers who are infected with Conficker.

But all that proves is that there's no proof it's not a big problem, just as there's no proof it is one, compared with other malware. Kaspersky's top threat detections are the Virut and Sality file infectors, as well as the Sonahad IM-Worm, Brontok Email-Worm, a number of AutoRun worms and heuristics detections.

And even these second- or third-tier numbers don't show how overstated the hype all is, since Conficker.C, the "scary" version, is likely a small fraction of the total Conficker population. The A and B machines have largely been neutered.

As our Matt Hines put it recently, Conficker is the Paris Hilton of malware. It's famous for being famous. It's not nothing, but in the major leagues of malware it's a bench player.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel