The security industry is contemplating the post-Conficker apocalypse. Good thing I still have all the guns, ammo and water from my Y2K preparations.
There's no question that Conficker is the most significant malware,
and certainly the most significant worm, of the last year, and probably
the last few years. It's versatile ("blended" is the malware term),
well-designed and run by what appears to be a well-organized gang. The A
and B variants of the worm built up a botnet estimated at up to 15 million systems
So the news that Conficker.C, the new major variant of the worm, will
"do something" on April 1 is good reason to wonder what will happen.
There has been a lot of dark warning about this date, all of it coming
out of uncertainty: We don't know what will happen, therefore what will
happen could be truly horrible. Conficker is also known by the name
Downadup by many vendors, including Symantec
I think that a long
and detailed analysis of Conficker by SRI International
explained the sophistication with which the code, including the C
variant, was developed, inspired many a deeply concerned quote from a
security expert. The hysteria record surely belongs to "millions of computers
expected destroyed, Fear worm spreads
." Everyone's getting into the
act. Symantec even reports that fake anti-malware
products are poisoning Google searches for Conficker to push their
I haven't personally examined Conficker.C, but every analysis I've
read of it indicates that it's a better Conficker than B in many ways
and a significant upgrade. It seems, for example, to be state-of-the-art
at disabling security software running on systems it infects. But what
can it possibly do that a world of other malware has failed to do?
I have a general philosophy about attacks like these: Anyone who's
vulnerable to them has almost certainly been hit already. If they don't
have Conficker, they have Vundo or Koobface or some other horrible
malicious program running on their system. How much worse can Conficker
make things? Perhaps they'll actually notice they have a problem.
On the other hand we have people who take minimal precautions,
usually free, to protect themselves from attack, and they're largely
almost certainly protected against anything Conficker.C has to throw at
There are two big reasons (and lots of smaller ones) to believe that
Wednesday won't bring us a major Internet event: first, there's reason
to believe that not many of the systems in the Conficker botnet have
been upgraded to the C variant. Nobody really know for sure, just as
nobody knows the true size of the botnet. Sophos told me that the
reports from their customers show C as 6 percent of the Conficker samples.
Microsoft's Malware Protection Center also says they have observed a "relatively small
number of Conficker.D-infected machines"
(Conficker.C is Conficker.D to Microsoft
And in the big picture, Conficker just isn't a high-volume piece of
malware. Check prevalence lists and you'll see a lot of other threats up
much higher. Note that Symantec calls Downadup a "low" threat.
As a blended threat, Conficker has many ways to attack, from
copying itself to weakly protected network shares to USB drives, but
almost all systems infected with it were infected through the
MS08-067 RPC vulnerability in Windows
, a patch for which was
available two months before Conficker ever appeared. And it probably only
ever successfully attacked XP systems; while Vista is technically
vulnerable, exploiting it is almost impossible. My guess is that the
MS08-067 hole will remain the main mode of attack for Conficker and the
main thing making it stand out from the rest of the malware pack.
But if you install patches on a reasonable schedule, and you have
other reasonable software such as firewalls in place, it can't get you.
Throw in some common sense about these things and you'll be just
I agree with the Internet Storm
Center at SANS when it says,
"Based on these facts and a wealth of
other information, we at the Internet Storm Center believe that April
1we be more or less, business as usual." I know I'm not worried that
Conficker.C will do anything to me on Wednesday. If there were something
it could have done. it would have been done to me already.
Security Center Editor Larry Seltzer
has worked in and written about the computer industry since
For insights on security coverage around the Web, take a look at
eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.