Industry Vets Largely Unphased by Conficker
So, tomorrow we find out if Conficker is a big joke, a Y2K-type predicament, or a really big deal. Or so some people say...
But it would seem that the elder statesmen of the industry have done their homework, and been around the block enough times, to see the threat for what most experienced researchers seem to think it is... just another rapidly propagating botnet/Worm threat.
For the last several days, leading researchers from most the of major AV shops have gone on the record as saying that they don't believe that April 1 will turn out to be a historic day in relation to any malware attacks.
On the eve of the much-awaited date, one of the industry's most consistent voices, Gartner's John Pescatore, offered his own estimation that tomorrow likely won't represent any kind of significant landmark to that end.
"The Conficker worm represents a serious threat to enterprise and home PCs, but the approaching 'deadline' is not as urgent as the media hype suggests," the analyst said in a research note in which he said that Gartner does not expect a "widespread system meltdown" driven by Conficker. "Enterprises should be much more concerned about unrecognized threats."
In addition to all the media hype being given over to Conficker, which has put IT departments around the globe on alert to watch out for the program, security researchers and vulnerability assessment (VA) technology providers s have devised methods to ID the attack, all of which should help limit its impact, Pecatore said.
While Conficker employs sophisticated techniques to make it appear that an infected machine has been patched, and uses encryption, among other ploys, to evade detection and communicate with malicious command-and-control servers, with so many people watching out for the attack, any "spectacularly damaging event" will likely be avoided, even if the attack does indeed take off in some manner tomorrow, the expert said.
"Despite Conficker's unusual sophistication, most detailed analyses of the worm's code have shown there is no 'apocalyptic' event slated for 1 April. On that date, one of the more recent Conficker variants will dramatically increase the number of domain names that may potentially host malicious servers. This will increase the pressure on simple URL blocking techniques, but will not significantly increase the threat level, because compromised machines already have many communications capabilities," Pescatore said. "The most likely outcome on 1 April is denial-of-service conditions resulting from increases in network bandwidth."
However, to help set their minds at ease, the analyst offered some tips to security staffers charged with keeping an eye on Conficker tomorrow.
According to Gartner, enterprise security professionals should:
-Monitor credible sources for information on Conficker, which is being updated almost continuously.
-Contact providers of vulnerability assessment technology to ensure that their capabilities have been updated to detect PCs compromised by Conficker. Make VA scans of all PCs a critical priority.
-Review URL blocking and inbound malware secure Web gateway capabilities and network access control capabilities to ensure that the most aggressive possible short-term stance is being taken against Conficker.
-If employees are permitted to use their own PCs for business purposes, inform them of the urgency of checking and cleansing their PCs and instruct them about how to do so.
-Place prominent warnings on enterprise Web sites directing consumers to antivirus sites with information on how to check their PCs
In about one hour we see if anything is going here in the U.S.
So far, overseas, it doesn't appear that Conficker is blowing up.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.