In just three short days the world will learn how dangerous the
latest variant of the Conficker worm is. Some reports say that more
than 10 million PCs are already infected and the activation of the worm
will cause massive distributed denial of service (DDoS) attacks.
The concern is so great that the alarms have been sounding for more
than a week and the battlements manned in anticipation of an
overwhelming assault by this digital menace.
Conficker concerns have created a wave of hype so great that the FUD
threatens to overwhelm networks and administrators more so than the
actual worm. Over the weekend, Symantec even warned that searching for
information about Conficker could open users to compromise by the
malware.
The truth about malware is much more sublime and boring than the hype of pending disaster and unthinkable destruction.
Here are a few truths to consider:
1) Destruction Isn’t the Aim
Let’s face reality here: taking down the Internet or disabling networks
serves no hacker’s ultimate purpose. What malware writers really want
is to infiltrate networks and gain access to data and computing
resources. The days of hacker meritocracy earned through digitally
destructive acts, such as those caused by the LoveLetter virus, have
given way to profit schemes in which malware and hacking skills are
used to snoop on networks.
2) Botnets are Business
Conficker.C, the variant that’s supposed to go live on April 1, is
likely designed to create a botnet, which draws power from individual
PCs and corporate networks for distributed computing. Experts say we’ll
have to wait until Conficker phones home to get new instructions to
discover what its real intent is. Even if it’s just there to create a
botnet, a botnet in and of itself is a valuable tool that organized
hackers are renting out to others for big bucks.
3) Anti-virus Works
The standard advice in advance of a massive malware outbreak is to
ensure AV signatures are up to date and real-time scans are enabled.
The first round of Conficker was contained in many Western countries by
standard AV applications. But anti-virus and anti-spyware applications
are like squelching devices, they capture what you expect them to
capture – largely the nosiest pieces of malicious code. More advance
piece of malware require close inspection and, oftentimes, human
remediation.
4) Conficker: The Wrong Call to Arms
Symantec, Kaspersky Lab and Sophos each reports that 2008 was the worst
year for malware in the wild. Over the last decade, the volume of
malware has steadily increased. In the last 12 months, the number of
malware samples in circulation skyrocketed from tens of thousands to
more than 600,000 new original and variant codes. While Conficker.C is
a significant, predictable event, the malware trend requires constant
vigilance among IT and security managers, IT solution providers and
services companies, and individual end users.
FUD (fear, uncertainty and doubt) isn’t an entirely useless tool,
since such massive publicity and misinformation about a single event
can open many opportunities for IT solution providers to engage with
their customers about the security of their networks and systems.
Containing Conficker and other such malware requires a combination of policy, product and practices.
Solution providers should talk with their clients about ensuring
users are not downloading unknown files, clicking on suspicious links
that take them to malicious or compromised Websites, or disabling their
security agencies on their clients.
Synergistic security technologies are still the best defense against
compromises. A combination of endpoint security controls, tight
configuration management and policy enforcement, Web filtering and
reputational analysis of Websites, and standard malware detection and
removal technology goes a long way toward preventing infection.
Additionally, network monitoring technology, intrusion prevention
systems, and data loss prevention technologies help mitigate the
chances of a worm using a network for malicious purposes or stealing
data.
