Will the World End on Wednesday?

 
 
By Larry Seltzer  |  Posted 2009-03-30
 
 
 

There's no question that Conficker is the most significant malware, and certainly the most significant worm, of the last year, and probably the last few years. It's versatile ("blended" is the malware term), well-designed and run by what appears to be a well-organized gang. The A and B variants of the worm built up a botnet estimated at up to 15 million systems.

So the news that Conficker.C, the new major variant of the worm, will "do something" on April 1 is good reason to wonder what will happen. There has been a lot of dark warning about this date, all of it coming out of uncertainty: We don't know what will happen, therefore what will happen could be truly horrible. Conficker is also known by the name Downadup by many vendors, including Symantec.

I think that a long and detailed analysis of Conficker by SRI International which explained the sophistication with which the code, including the C variant, was developed, inspired many a deeply concerned quote from a security expert. The hysteria record surely belongs to "millions of computers expected destroyed, Fear worm spreads." Everyone's getting into the act. Symantec even reports that fake anti-malware products are poisoning Google searches for Conficker to push their unrelated wares.

I haven't personally examined Conficker.C, but every analysis I've read of it indicates that it's a better Conficker than B in many ways and a significant upgrade. It seems, for example, to be state-of-the-art at disabling security software running on systems it infects. But what can it possibly do that a world of other malware has failed to do?

I have a general philosophy about attacks like these: Anyone who's vulnerable to them has almost certainly been hit already. If they don't have Conficker, they have Vundo or Koobface or some other horrible malicious program running on their system. How much worse can Conficker make things? Perhaps they'll actually notice they have a problem.

On the other hand we have people who take minimal precautions, usually free, to protect themselves from attack, and they're largely almost certainly protected against anything Conficker.C has to throw at them.

There are two big reasons (and lots of smaller ones) to believe that Wednesday won't bring us a major Internet event: first, there's reason to believe that not many of the systems in the Conficker botnet have been upgraded to the C variant. Nobody really know for sure, just as nobody knows the true size of the botnet. Sophos told me that the reports from their customers show C as 6 percent of the Conficker samples. Microsoft's Malware Protection Center also says they have observed a "relatively small number of Conficker.D-infected machines" (Conficker.C is Conficker.D to Microsoft).

And in the big picture, Conficker just isn't a high-volume piece of malware. Check prevalence lists and you'll see a lot of other threats up much higher. Note that Symantec calls Downadup a "low" threat.

As a blended threat, Conficker has many ways to attack, from copying itself to weakly protected network shares to USB drives, but almost all systems infected with it were infected through the MS08-067 RPC vulnerability in Windows, a patch for which was available two months before Conficker ever appeared. And it probably only ever successfully attacked XP systems; while Vista is technically vulnerable, exploiting it is almost impossible. My guess is that the MS08-067 hole will remain the main mode of attack for Conficker and the main thing making it stand out from the rest of the malware pack.

But if you install patches on a reasonable schedule, and you have other reasonable software such as firewalls in place, it can't get you. Throw in some common sense about these things and you'll be just fine.

I agree with the Internet Storm Center at SANS when it says, "Based on these facts and a wealth of other information, we at the Internet Storm Center believe that April 1we be more or less, business as usual." I know I'm not worried that Conficker.C will do anything to me on Wednesday. If there were something it could have done. it would have been done to me already.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Rocket Fuel