The Real World of Malware: News from the Front

Malware-cleaning professionals are very aware of Conficker and are seeing it, but not that much. They do see a lot of other malware, which, for some reason, doesn't inspire a media storm.

It's April 1 (at least in some parts of the world) and the Conficker assault has begun. I'm going to assume that few, if any of us have noticed anything as a result. As a further perspective-generating measure, it might be a good idea now to note that there is a lot of real malware out there causing havoc. I may have ridiculed the hysteria over Conficker some, but real people all over the United States and the rest of the world get hit by malware attacks all the time.

It's just about always preventable, but it's definitely real. And there are a lot of malware apps out there spreading rapidly, or at least trying to, and presenting more of a day-to-day threat than Conficker does. Conficker itself is not a small problem, it's just that it's nowhere near as big a problem as it's made out to be.

A friend of mine who is a former hotshot editor and tech guru for major newspapers now makes a living doing computer consulting for consumers and small businesses. His bread and butter these days is malware repair. He's doing at least one a day at $250 a pop minimum. He's asked me to lay off on the Russian gangsters and others sending malware this way because they're keeping him in the lifestyle to which he has become accustomed.

He sees a lot of different malware. Vundo is a common one, as are various rootkits. My friend has even seen some Windows rogue anti-malware attempting to attack Macs. It's kind of pathetic actually; Mac/Safari users are redirected to another site where their C: drive is scanned and Windows viruses are found. Shocking.

He thinks he has seen at most one copy of Conficker in the wild. This is what I've heard from others, at least in the United States. It's hard to tell for sure, but it seems as if the United States is not one of the main Conficker targets, at least not among consumers.

What are the big threats out there? I asked some real anti-malware companies for their latest "Top Threat" lists. Trend Micro makes it easy with these malware maps and top 10 charts. The list is largely populated by variants of Vundo and MAL_OTORUN, a series of worms that wrote themselves to Autorun.inf files long before Conficker was acclaimed for inventing the technique by people who don't follow malware, except when it's covered in The New York Times.

Kaspersky has a similar, but more complicated story. Conficker has been in their its top 20-30 detections for the last couple of days and, according to Roel Schouwenberg, senior anti-virus researcher, accounts for "... a little less than 1 percent of our daily signature detections." It's not clear that this is a true measure of its impact since Kaspersky has had very good detection of Conficker, as probably have all of the top anti-virus companies. It's not their customers who are infected with Conficker.

But all that proves is that there's no proof it's not a big problem, just as there's no proof it is one, compared with other malware. Kaspersky's top threat detections are the Virut and Sality file infectors, as well as the Sonahad IM-Worm, Brontok Email-Worm, a number of AutoRun worms and heuristics detections.

And even these second- or third-tier numbers don't show how overstated the hype all is, since Conficker.C, the "scary" version, is likely a small fraction of the total Conficker population. The A and B machines have largely been neutered.

As our Matt Hines put it recently, Conficker is the Paris Hilton of malware. It's famous for being famous. It's not nothing, but in the major leagues of malware it's a bench player.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack