The security industry is contemplating the post-Conficker apocalypse. Good thing I still have all the guns, ammo and water from my Y2K preparations.
There's no question that Conficker is the most significant malware,
and certainly the most significant worm, of the last year, and probably
the last few years. It's versatile ("blended" is the malware term),
well-designed and run by what appears to be a well-organized gang. The A
and B variants of the worm built up a botnet estimated at up to 15 million systems.
So the news that Conficker.C, the new major variant of the worm, will
"do something" on April 1 is good reason to wonder what will happen.
There has been a lot of dark warning about this date, all of it coming
out of uncertainty: We don't know what will happen, therefore what will
happen could be truly horrible. Conficker is also known by the name
Downadup by many vendors, including Symantec.
I haven't personally examined Conficker.C, but every analysis I've
read of it indicates that it's a better Conficker than B in many ways
and a significant upgrade. It seems, for example, to be state-of-the-art
at disabling security software running on systems it infects. But what
can it possibly do that a world of other malware has failed to do?
I have a general philosophy about attacks like these: Anyone who's
vulnerable to them has almost certainly been hit already. If they don't
have Conficker, they have Vundo or Koobface or some other horrible
malicious program running on their system. How much worse can Conficker
make things? Perhaps they'll actually notice they have a problem.
On the other hand we have people who take minimal precautions,
usually free, to protect themselves from attack, and they're largely
almost certainly protected against anything Conficker.C has to throw at
There are two big reasons (and lots of smaller ones) to believe that
Wednesday won't bring us a major Internet event: first, there's reason
to believe that not many of the systems in the Conficker botnet have
been upgraded to the C variant. Nobody really know for sure, just as
nobody knows the true size of the botnet. Sophos told me that the
reports from their customers show C as 6 percent of the Conficker samples.
Microsoft's Malware Protection Center also says they have observed a "relatively small
number of Conficker.D-infected machines" (Conficker.C is Conficker.D to Microsoft).
And in the big picture, Conficker just isn't a high-volume piece of
malware. Check prevalence lists and you'll see a lot of other threats up
much higher. Note that Symantec calls Downadup a "low" threat.
As a blended threat, Conficker has many ways to attack, from
copying itself to weakly protected network shares to USB drives, but
almost all systems infected with it were infected through the
MS08-067 RPC vulnerability in Windows, a patch for which was
available two months before Conficker ever appeared. And it probably only
ever successfully attacked XP systems; while Vista is technically
vulnerable, exploiting it is almost impossible. My guess is that the
MS08-067 hole will remain the main mode of attack for Conficker and the
main thing making it stand out from the rest of the malware pack.
But if you install patches on a reasonable schedule, and you have
other reasonable software such as firewalls in place, it can't get you.
Throw in some common sense about these things and you'll be just
I agree with the Internet Storm
Center at SANS when it says, "Based on these facts and a wealth of
other information, we at the Internet Storm Center believe that April
1we be more or less, business as usual." I know I'm not worried that
Conficker.C will do anything to me on Wednesday. If there were something
it could have done. it would have been done to me already.
Security Center Editor Larry Seltzer
has worked in and written about the computer industry since
1983.For insights on security coverage around the Web, take a look at
eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.
Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983.
He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.
For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.
In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.
Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.