Get Smart about Business Spending
Conficker postmortem: Hype distracted but threat is real
April 1 has come and gone and in the minds of many people the Conficker worm turned out to be a joke instead of the major Internet security event that might have been envisioned. Was the hype good, or bad, and who is to blame?
"I'm not sure what to think," said Bruce Schneier, chief security technology officer at BT, who is usually critical or pessimistic. "In a sense, the whole Conficker thing just puts a name on a general problem."
The problem is that there are tons of malicious programs and attacks out there on the Internet every day and people don't do enough to protect their computers, experts say. People need to be vigilant in patching their systems and updating their antivirus and other security software all the time, and not just when there is a virus outbreak. This isn't new at all. (See also: "Viruses with trigger dates.")
Lots of other worms and botnets are doing real damage, experts say, but Conficker garnered the media attention because it was configured to activate on a certain date. The fact that the date happened to be April Fools' Day only lended to its mystique.
"You need something with a name and a date to make the news. Today, the problem is just as serious, but there's no news," Schneier said.
A member of the Conficker Working Group, a consortium of companies and experts formed to eradicate the worm, had this to say: "The focus on April 1 ignored the fact that malware is out there and it is not detected easily and it has counter measures," said Dave Dittrich, an affiliate researcher at the University of Washington.
People tend to blame the security vendors for hyping viruses so they can sell more products. But in this case, everyone CNET News talked to about Conficker downplayed the digital disaster scenario and said things would likely be fairly quiet on April 1, as they were.
Media culpability
That leaves the media. In a spoof on the media frenzy, Wired ran a humorous fake live blog from the "Conficker Worm War Room" and pointed out that "The New York Times called it an 'unthinkable disaster' in the making. CBS's 60 Minutes said the worm could 'disrupt the entire internet,' and The Guardian warned that it might be a 'deadly threat.'"
Surprisingly, Dittrich and others were somewhat forgiving. "Tight deadlines make it hard to get a good story out without the hype taking over," he said. "There was a known deadline of April 1 for some behavior changing, but it wasn't clear what that behavior was going to be."
But just like the boy who cried wolf too many times or Chicken Little after the sky didn't fall, the experts said they worried that conflated expectations that are not met could mean people will ignore legitimate threats in the future.
Simple concepts of good and bad are easy to understand, while complicated issues and relative conditions, which underpin security, aren't. For instance, Dan Kaminsky, director of penetration testing at IOActive, said he often finds himself trying to talk people down off of one of two "ledges" of thinking.
"It's either 'nothing is going to happen', and that's not true, or it's 'the world is coming to an end and computers are going to explode in some technological Ebola equivalent,' and that's not true either," he said, echoing comments he made in a post on his blog. "Concern, but not panic, is really the appropriate engineering response to the problems of this nature. But concern doesn't sell nearly as well as panic."
Hype is one thing. Public awareness is another, and if nothing else, all the attention Conficker garnered can be seen as a benefit if it means that more people were prompted to secure their systems.
"When you see your neighbor with a cold, you think about washing your hands," said Chris Wysopal, chief technology officer at Veracode.
"The main lesson is that reactive security is always bad," said Wysopal. "This is the case we're seeing here. Once the botnet is spread it is really difficult to clean up and the command-and-control (aspect) is getting more sophisticated and using sophisticated encryption. Once it is in place it is harder and harder to dismantle and remove."
"I find it a bit discouraging that after SO many years of these dire warnings of a virus/worm that will 'bring the Internet to its knees' that executive management STILL doesn't get the fact they shouldn't be depending on media stories to shape their security program," Carole Fennelly, director of content and documentation at Tenable Network Security and a former security consultant, wrote in an e-mail.
Conficker alive and well
Meanwhile, Conficker remains a menace. The worm spreads through a hole in Windows that Microsoft patched in October and also spreads via removable storage devices and weakly protected network shares.
So, millions of infected computers didn't launch denial-of-service attacks on Web sites or download password-stealing software on Wednesday. But they could have, and they still can at any point in the future. In fact, the risk is greater now because Conficker-infected machines can distribute updates or instructions via encrypted peer-to-peer technology as opposed to communicating to command-and-control servers at domains that registrars have been pro-actively blocking.
"It's not like it's gone," said Kaminsky, who worked with The Honeynet Project on a way to detect infected computers using a flaw in Conficker's code. "We're looking at a massive, amorphous network with a command and control that we don't have the means to block anymore. Things got worse on April 1 for the remaining infected nodes."
And now there is no signal for researchers to watch for with Conficker. This actually makes sense for a botnet because their creators usually tend to operate under the radar so they are not thwarted.
"We believe they decided to do nothing to tip their hand," said Paul Ferguson, an advanced threats researcher at Trend Micro. "But the functionality can be updated at any given point in time. All it takes is a button click on a mouse from the people pulling the strings."
The April 1 date could have been designed to distract people from other activity. For instance, researchers saw updates to existing botnets that also use auto-domain generation, including Mebroot, which is also known as Torpig and Sinowal, according to Ferguson. That Trojan infects Windows computers in "drive-by downloads" as they Web surf and steals bank log-in data and other sensitive data, among other things.
"I'm not saying these are connected, but it sure is funny in a coincidental way," Ferguson said.
So, what's the moral of the Conficker story?
"The moral is there are big worms out there and criminals that do a bunch of things," said Schneier. "One of them happens to have a name and a date."
The Conficker Working Group has a test to if a computer is infected on its Web site and another test is on the University of Bonn Web site.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Stuff like this is why I don't even bother watching the local news b/c they are so completely ignorant when it comes to anything that is technology related.
Grany
They see something that says they are infected - click here, and THEN they are indeed infected.
And what amuses me to no end is that after Conficker looks to be a total bust the Anti Virus Company's are still pushing their products.
This part here i find extremely amusing.
"The problem is that there are tons of malicious programs and attacks out there on the Internet every day and people don't do enough to protect their computers, experts say. People need to be vigilant in patching their systems and updating their antivirus and other security software all the time, and not just when there is a virus outbreak."
I think they should get their facts straight. If the so called "experts" bothered to look here on CNET i believe they mentioned that only 5% or 6% of infected computers are in North America. It seems like North America did an excellent job of protecting themselves from Conficker and probably many other threats.
The bottom line is Conficker was able to be a threat because of an open hole in Microsoft's Operating system.
Users have done a great job, it is Microsoft that let us down and the Anti Virus Company's jumping on it and using it to their advantage to sell more of their paid products to get rid of it.............and in the time of a recession...........tsk tsk.
If their is one thing i have learned from all of this it is to get far away from Microsoft and stick to the very capable Free Anti Virus Programs.
"If their is one thing i have learned from all of this it is to get far away from Microsoft and stick to the very capable Free Anti Virus Programs. "
Wow... this is ignorance in motion. How is it Microsoft's fault by patching a hole in the OS *before* the exploit existed? A patch that was released and installed on most systems through Automatic Updates back in October, six months ago? They fixed the problem before there was a problem. Good luck in that argument.
The only group here that failed was the media for driving up the hype for a problem that didn't actually exist to the levels they made it out to be.
It was a classic Chicken Little moment for the media.
The thing is this: Microsoft made an OS with the vulnerability in the first place, and they have time and time again made updates that would completely mess up computers. One time I had to completely reinstall Windows because of a Windows Automatic Update. Furthermore, Windows Updates alone are not sufficient to protect against viruses. Things like this encourage people to turn it off. So yes, Microsoft did let users down in that sense.
If you remember a few years ago, M$ released a betaware product called Windows Genuine Advantage that really is nothing more than an anti-piracy kill switch with a fancy name (yup, Billy boy's finger is on the trigger, as is good old stable Ballmer's. Either one of them could revoke your winblows license and basically brick that partition once the machine is shut down, which they can also trigger. Isn't slavery fun?) It was released as a security update, in fact labeled as a critical security update to trick their users into installing it without question. Later they updated this kill switch, except there was a problem with the update. It caused many legitimate winblows installs to suddenly refuse to boot because the malware thought the winblows license was bad. Persistent little bugger this was too, there was absolutely positively NO WAY to access any files locked within unless M$ released to you a new license key and unlocked the system. I know, I tried for 3 days; in fact it's the trigger that got me to install Linux on another partition on that machine (Debian at the time - Dan, want some Linux fun? Try setting up Debian Sarge! Worked great once I suffered the setup though, I must say.) Nothing besides a phone call and reading a ridiculously long license key back and forth would get my files back. Nothing.
I don't have this problem on my Ubuntu partition, I leave the auto-updates turned on there and often install them all without even looking at what's getting updated. I have a level of trust with them still, one that I *USED TO* have with M$ as well. A level of trust that M$ violated, leaving me with a brick until I phoned them and begged forgiveness for installing their crapware to begin with. (If you can't tell, WGA ticked me off to no end; that was a couple of years ago at least and I'm still not over it, nor do I ever plan to be. Fista is not welcome on any equipment I own, neither in it's current form or in it's relabeled "w7' or "fista sp 3" version, period.)
Rape me once, shame on you. Rape me twice, shame on me.
"Winblows"? "Fista"? "M$" Sounds like the words of 13 year old going on a rant. Get over yourself. If you looks at the numbers (and a little thing I like to call "facts") you'd find it more rational to leave automatic updates on for most people. If people listened to you Conficker would have been more of a success.
And yes, Linux updates are fine. Never had a problem with them, Linux developers don't try to make poorly tested updates. Same story with Apple.
Dalkorian: FYI, it was easy as pie for me to make a partitioned openSUSE install. DVD in>Click to have it partition>Install>finished.
1. Unless you're behind a corporate firewall and have a way to isolate your machines that aren't patched, you have no excuse, you should have patched.
2. The patch was issued last october, and the tools to rid yourself of the virus were issued 2 weeks ago,, use them.
3.For those who said they'd stay away from MS products, i hate to tell you this, but even Apple has viruses out in the wild that affect Apple computers (disclaimer: i own quite the few pieces of apple accessories)
4. The media is well, the media, everytime they open their collective mouth, well they spread FUD, you knew this date was coming, you should have patched or in the very least had Windows updates turned on.
5. I highly recommend INTERNET EXPLORER 8 for the less tech savvy folks, the NX Bit that is now enabled by default will save you a headache like this from possibly happening in the future as it stops malicious code from coming in, i know i know (WINDOWS VISTA ONLY!) .... Let the flaming begin.
It took a second to notice how carefully you crafted that comment, in fact I wonder if that was intentional or accidental. The last *virus* known to affect Apple computers was nearly 10 years ago and affected OS 9. Yes, they were released to the wild, like winblows viruses are. Yes, there currently are *trojans* in the wild that affect OS X. Yes, I believe if someone tried hard enough they could write a virus for OS X.
But there is currently no such thing as a virus that infects OS X and there hasn't been in close to 10 years. Rail against that all you want, but it's a fact. "Market share" doesn't wash (explain viruses for OS 9, undoubtedly less popular than OS X is today). Is there another argument that could explain this, besides a better security model (not perfect; nothing is "perfect")?
iTcomposer: There is a small amount of malware and a couple trojans for Mac OS X, but thankfully no true viruses that can spread and install themselves. And why is IE 8 better than FF 3? My DAD can use Firefox!
Maybe it's just keeping you on your toes, you *could* have been masochistic enough to install fista through Boot Camp on that MBP and just like that - there goes all that security!
;-)
- by lizardlips April 6, 2009 1:28 PM PDT
- Despite what everyone 'FEELS', and what MS says!
- Like this Reply to this comment
-
(19 Comments)Conficker hit and did effect alot of things. After one full week of cleaning updating and using every tool out there, I still cannot get Windows Defender to work. It is fried. Came with Vista of course, and I cannot remove it~system will not let you, MS says "go to our Newsgroups and talk with others there for resolution.
Microsoft doesn't even know how to fix their own products. They cannot tell me how to disable this one so I can download a uninfected Windows Defender.
I have never hated Vista as much as I do now.
They keep pushing IE8 and it just crashes the system and is useless and bulky when you do get it going. pulled it off, went back to 7.
I have never had a straight answer for anything from MS.
Everyone passes the buck, just like the government, its someone else's job to resolve or fix anything.
THERE ARE NO ANSWERS.
Your stuck if you cannot buy a new system (not MS!)
Having the best security on it didn't help either, had to trash it, and purchase new one. Of course it wasn't their fault either so I am just out, the extra months already paid for the old product. Yee haw MCAFEE.
Will go back to Symantic next time..
Why did we need computer's in the first place?? Now we can't live without them?