Conficker: Don`t Be Made a Fool April 1By Lawrence Walsh | Posted 2009-03-29 Email Print
Conficker.C’s reported update on April 1—April Fool’s Day—has put the hype machine in overdrive with dire warnings of massive distributed denial of service attacks. The threat is still relatively unknown, but the reality is malware writers have no motivation for causing massive outages. Here’s why.
In just three short days the world will learn how dangerous the latest variant of the Conficker worm is. Some reports say that more than 10 million PCs are already infected and the activation of the worm will cause massive distributed denial of service (DDoS) attacks.
The concern is so great that the alarms have been sounding for more than a week and the battlements manned in anticipation of an overwhelming assault by this digital menace.
Conficker concerns have created a wave of hype so great that the FUD threatens to overwhelm networks and administrators more so than the actual worm. Over the weekend, Symantec even warned that searching for information about Conficker could open users to compromise by the malware.
The truth about malware is much more sublime and boring than the hype of pending disaster and unthinkable destruction.
Here are a few truths to consider:
1) Destruction Isn’t the Aim
Let’s face reality here: taking down the Internet or disabling networks serves no hacker’s ultimate purpose. What malware writers really want is to infiltrate networks and gain access to data and computing resources. The days of hacker meritocracy earned through digitally destructive acts, such as those caused by the LoveLetter virus, have given way to profit schemes in which malware and hacking skills are used to snoop on networks.
2) Botnets are Business
Conficker.C, the variant that’s supposed to go live on April 1, is likely designed to create a botnet, which draws power from individual PCs and corporate networks for distributed computing. Experts say we’ll have to wait until Conficker phones home to get new instructions to discover what its real intent is. Even if it’s just there to create a botnet, a botnet in and of itself is a valuable tool that organized hackers are renting out to others for big bucks.
3) Anti-virus Works
The standard advice in advance of a massive malware outbreak is to ensure AV signatures are up to date and real-time scans are enabled. The first round of Conficker was contained in many Western countries by standard AV applications. But anti-virus and anti-spyware applications are like squelching devices, they capture what you expect them to capture – largely the nosiest pieces of malicious code. More advance piece of malware require close inspection and, oftentimes, human remediation.
4) Conficker: The Wrong Call to Arms
Symantec, Kaspersky Lab and Sophos each reports that 2008 was the worst year for malware in the wild. Over the last decade, the volume of malware has steadily increased. In the last 12 months, the number of malware samples in circulation skyrocketed from tens of thousands to more than 600,000 new original and variant codes. While Conficker.C is a significant, predictable event, the malware trend requires constant vigilance among IT and security managers, IT solution providers and services companies, and individual end users.
FUD (fear, uncertainty and doubt) isn’t an entirely useless tool, since such massive publicity and misinformation about a single event can open many opportunities for IT solution providers to engage with their customers about the security of their networks and systems.
Containing Conficker and other such malware requires a combination of policy, product and practices.
Solution providers should talk with their clients about ensuring users are not downloading unknown files, clicking on suspicious links that take them to malicious or compromised Websites, or disabling their security agencies on their clients.
Synergistic security technologies are still the best defense against compromises. A combination of endpoint security controls, tight configuration management and policy enforcement, Web filtering and reputational analysis of Websites, and standard malware detection and removal technology goes a long way toward preventing infection. Additionally, network monitoring technology, intrusion prevention systems, and data loss prevention technologies help mitigate the chances of a worm using a network for malicious purposes or stealing data.