X

'60 Minutes': What's next for the Conficker worm?

A report on the CBS News television news program examines one of the Internet's most dangerous computer worms.

CBS Interactive staff Special to CNET News
9 min read

Correction, April 1, 9:19 a.m. PDT: "60 Minutes" made a mistake in using a photograph in its story called "The Internet is Infected." The picture was described in the story as a group of young Russian computer hackers, which was inaccurate. The picture, provided to the CBS television news magazine by an Internet security company, had appeared on a Russian hacker magazine Web site.

The following is the updated, corrected transcript and video of the "60 Minutes" report on Internet viruses that aired Sunday.

The Internet is infected. Malicious computer hackers have been creating more and more weapons that they plant on the Internet. They call their weapons viruses and worms--they're creepy, crawly toxic software that contaminate our computers without our ever knowing it. You can be infected by simply visiting your favorite Web site, or just by leaving your computer on, overnight while you're asleep.


And the problem is growing, exponentially. Last year the number of infections tripled. And an entire industry of computer security professionals is in a race to keep the hackers from their goal, which is usually to steal your money.

One of the most dangerous threats ever, a computer worm known as "Conficker," is spreading through the Internet right now. By some estimates, 10 million computers have been infected worldwide.

At Symantec, the company that makes Norton antivirus software, engineers have been tracking Conficker since last November as it worms its way across the globe.

"This map is showing a visual representation of where all of the known infections of Conficker are across the world," explained Steve Trilling, a Symantec vice president who says the worm is now living on millions of computers, mainly in corporations.

So far, the bad guys who created it haven't triggered Conficker. It's just sitting out there like a sleeper cell.

"Imagine a network of spies that has infiltrated a country. And every day, all of the spies are calling in for their instructions on what to do next," Trilling explained.

Asked what the worm is being asked to do, Trilling told Stahl, "That's the interesting thing. The only thing the worm is being asked to do is to ask for further instructions."

For several months, Trilling says the worm has just been sitting there, awaiting instructions.

It's that ominous, because once the hackers issue instructions, Conficker could turn menacing in an instant.

With one click, the worm's creator can instruct it to suck sensitive data, like bank passwords and account numbers, out of millions of computers, or launch a massive spam attack to clog up the works.

The newest targets of worms are social networking sites. Trilling demonstrated to Stahl how it might work.

Looking at a real Facebook page, Trilling explained, "We added your friend and colleague Morley Safer, you can see down there on the left."

He says a worm can crack into a Facebook account, like Morley's, and send a message to anyone on his friends list.

It's a message a friend or colleague, like Stahl, would be sure to open since it comes from a trusted friend. Stahl took the bait and clicked on what looked like Morley's video link.

"Something looks a little off," Trilling remarked. "You're already infected."

As Trilling demonstrated on a second screen, the hacker "owned" Stahl's online movements. "From here on out, everything you do, gonna show up on the hacker's machine," he explained.

So when Stahl typed her username and password into a bank Web site, it appeared instantaneously on the hacker's screen, along with her bank account details.

"Every single keystroke you hit, in fact, if you make a mistake and hit a backspace, that shows up in the window," Trilling explained.

The hacker then followed her around, as she browsed the Internet from CBS News to Amazon.com.

"So, if I buy something, they're gonna have my credit card," Stahl remarked.

"Everything you type in, your address, your credit card, it's all gonna show up in that window," Trilling warned.

A minefield on the Internet
The Internet has become a minefield. Hackers have hidden their malicious software known as "malware" on some of the most trusted Web sites, like eBay, the Miami Dolphins football team, even my.barackobama.com.

Trilling says too few people have top-notch, up-to-date security software.

"There is something that would have prevented me from answering Morley's message. Or I would never have gotten Morley's message?" Stahl asked.

"As soon as you clicked on that link and you had security software, you would immediately get an alert. 'This is a bad Web site.' And it would have blocked the attack. You would have never been hit. Putting on that software, you're preventing yourself from becoming a victim," Trilling advised.

But according to Symantec's own figures, the hackers are inventing up to 15,000 new infections every day, designed specifically to get around the latest anti-virus protections. Symantec has to send out updates every five minutes.

"You sell the antivirus, anti-worm stuff. I mean, how do I know you're not just saying, 'Go out and get this,' 'cause you sell it? I mean, you know... there's a sort of conflict of interest here," Stahl pointed out.

"Well look, Lesley, in 60 minutes we are blocking nearly 400,000 threats around the world. If you're goin' out on the Internet and you're not protected, it's like walkin' outta your house and leavin' the door open," Trilling argued.

But Mary Rappaport says all the doors on her home computer were locked tight. She had antivirus software and a firewall, and so she thought she was safe to do her banking online. But then she noticed something odd going on and called the bank.

"They told me that three charges in the last three days had been made to my account. One for $3,000, one for $4,000, and one for $1,200," she recalled.

Rappaport knew she had to act quickly.

The bank replaced the stolen money and suggested that she merely change her password. That was to be the end of it. But the next day, she was checking her balance. "And I saw $1,000 being moved from my son's savings account into my checking account," she recalled. "Right before my eyes. I saw my money being moved."

A hacker was trying to move all her money into one account, her checking account, to make it easier to transfer overseas. Luckily, the bank was able to freeze her accounts before she lost any more money.

"I had what I thought were adequate protections. You know, I had anti-spyware software," she said. "And antivirus."

"And I thought I had a good enough firewall. Wrong!" Rappaport told Stahl. "My understanding anyway is that they were able to get some sort of bug onto my system that disabled the ability to update these software programs."

Mary suspects her teenage sons picked up the bug while downloading from music or game Web sites. But it could have come from any number of Web sites.

Going to Google
Stahl asked Google what they're doing to deal with these big problems, because their search engine is what most people use to surf the net.

Stahl went to talk to Vint Cerf, one of the founding fathers of the Internet, and now a vice president at Google. The company itself says that one in every 100 Google searches brings up an infected site.

"People are blaming Google 'cause if you do the search, they say, you--Google--should be responsible if we get infected," Stahl remarked. "Now you've heard that."

"I have heard that, and I think that's a very bizarre way of looking at things," Cerf replied.

Google's position is that it's not the policeman of the Internet, but its engineers do scour the Web and issue warnings about malicious infections, or malware.

"If we happen to see what we believe is malware on that Web site, then when you go there we will pop up a Web page and it says, 'We think we found malware on this site. Maybe you don't want to go there,'" Cerf explained.

"Now I understand that if you go there anyway, Google sends you a second warning, saying: 'Are you kidding? Are you serious? We told you not to go there.' Something like that," Stahl said.

"Of course people still go," Cerf acknowledged. "And at that point it's their problem."

"The more you hear about this, the more you feel that if you bank online, shop online, open an e-mail, I mean, that almost anything you do puts you in jeopardy," Stahl remarked.

"That's a true statement. There are things. Bad things can happen. On the other hand, I've been on the Net ever since the Net started, and I haven't had any of the bad problems that you've described," Cerf replied.

But tens of millions of people have--one if four Americans, according to recent reports, as the hackers get more and more sophisticated.

Hunting hackers
Don Jackson is a hacker hunter. He is director of threat intelligence at SecureWorks in Atlanta, which protects corporations against cyber-attacks and tracks the hackers who launch them.

"Part of my job is to know the enemy, to know our adversaries," he explained.

To Jackson, the enemy is a hacker. "An enemy is somebody who wants to use computers to hurt somebody else or to make money for themselves."

Using an assumed name, "Gozi," Jackson infiltrates chat rooms where hackers sell their worms and viruses to their clients: other hackers. He asks for a demo so his company can create software to disable the malware. The hackers, he says, are typically young, male and often from Russia.

Asked how he tracks them down, Jackson said, "Well, they're like any other business. They have to advertise to get clients."

As Jackson explains, these brazen hackers do this openly on the Internet. "Unfortunately they're all too easy to find," he said.

He says many Russian hackers are in cyber-gangs that display fascist symbols, like a Swastika and anti-American artwork. They boast about all the dollars they've stolen from the rich Americans. A single hacker can make $30,000 a month and be championed in local newspapers.

"There's an example recently where two boys were arrested actually and then let go the next day, but the article in the newspaper wasn't that they were arrested and that they committed a crime, but saying: 'Look at our two local boys made good. They've cheated some greedy Westerners out of so much money,'" Jackson explained.

"They're heroes," Stahl remarked.

"They are," he agreed. "And it's bringing money into the local economy."

It's not known who's behind the computer worm Conficker, whether it's a gang of Russian hackers or some solitary evil genius. This worm is wily--it keeps mutating. Security software companies have been kept very busy.

But Conficker can jump over protections. While Stahl was reporting this story in early March, she was stunned to learn that the wily worm had struck CBS News.

"People were havin' problems with their BlackBerries, their logons," explained Louie Pelaez, a network engineer.

He says Conficker is so aggressive, it took CBS technicians 24/7 over 10 days to hunt down and quarantine the affected computers.

"Do you actually know where it started? Can you pinpoint it?" Stahl asked.

"We really will probably never know exactly how it infected the network," Pelaez said. "We just know that, you know, once it hit, it began to propagate."

CBS News has now contained the infection, but Pelaez says Conficker could still be hiding undetected somewhere within the network.

Asked if he thinks CBS is safe, or if this could happen again, Pelaez told Stahl, "No, I pretty much thought that we were pretty solid. You try to secure a network. But there's no guarantee that somebody can't come up with something that will, you know, wreak havoc."

Conficker investigators have been talking about an April Fool's attack, because in dissecting the worm, they can see it's been programmed to receive new instructions on April 1. But nobody knows if the instructions will be benign, or something that could disrupt the entire Internet.