Conficker Followed up by Scareware-Powered Spam

By Frank Ohlhorst  |  Print this article Print

As heightened security concerns fade along with the Conficker threat, some old and some new pieces of malware, many in the form of scareware, are rearing their ugly heads to cause potential havoc.

Preparation and persistence helped many to dodge the Conficker threat, and while many may have dodged that bullet, the war against malware is far from over. The recently released Microsoft Security Intelligence Report (SIR), which covers the final 6 months of 2008, indicates that rogue security software threats are on the rise. Those pieces of malware, also known as scareware, has increased significantly and is duping users into revealing important information and opening access to their systems to parties unknown.

Scareware works by leveraging users’ fears of cyber-attacks by mimicking legitimate advertisements for products that "fix" infected systems. Users are enticed to pay for "full versions" of the offered product to protect their systems from Trojans, worms and other kinds of malware. In reality, both the free and paid for versions of the mock utilities offered are actually malware applications. Those who choose to pay for the mock security software are providing nefarious individuals with credit information, while those who choose to accept "free offers" are setting their systems up to be compromised remotely or at the very least, have their systems turned into zombies spewing spam on a botnet.

While we may thank the hype surrounding Conficker for increasing security awareness, one has to wonder how many new "victims" were recruited by the purveyors of scareware leveraging that hype. Add to that the re-emergence of some old worms, such as W32.Downadup and W32.Waledac, and it becomes easy to see that another malware and spam storm is on the horizon.

The .C  variant of W32.Downadup is particularly resilient,  it incorporates a previously unseen algorithm to remove itself from the infected host on May 3, 2009, removing most traces that the system has been infected and compromised. Of even greater concern is how W32.Downadup may be linked to W32.Waledac, which steals sensitive information, turns computers into spam zombies, and establishes a back door remote access.

The pieces are in play and users need to protect themselves from these new merged threats, which may be responsible for the latest increases in spam and have the potentially to power another round of fraudulent and malicious activity.

Luckily, protection should be simple, just as simple as Conficker – install the latest patches and make sure you are using legitimate anti-malware products. The old buyers axiom still reigns supreme – if it seems too good to be true – then it probably is.

The questions remain: Did Conficker actually succeed in a way not anticipated? Did thousands, if not millions of users download phony security tools to combat the Conficker threat?  Only time will answer those questions, and perhaps IT professionals will pull together to stamp out the coming threats.


Frank Ohlhorst Frank J. Ohlhorst is the Executive Technology Editor for eWeek Channel Insider and brings with him over 20 years of experience in the Information Technology field.He began his career as a network administrator and applications program in the private sector for two years before joining a computer consulting firm as a programmer analyst. In 1988 Frank founded a computer consulting company, which specialized in network design, implementation, and support, along with custom accounting applications developed in a variety of programming languages.In 1991, Frank took a position with the United States Department of Energy as a Network Manager for multiple DOE Area Offices with locations at Brookhaven National Laboratory (BNL), Princeton Plasma Physics Laboratory (PPL), Argonne National Laboratory (ANL), FermiLAB and the Ames Area Office (AMESAO). Frank's duties included managing the site networks, associated staff and the inter-network links between the area offices. He also served at the Computer Security Officer (CSO) for multiple DOE sites. Frank joined CMP Technology's Channel group in 1999 as a Technical Editor assigned to the CRN Test Center, within a year, Frank became the Senior Technical Editor, and was responsible for designing product testing methodologies, assigning product reviews, roundups and bakeoffs to the CRN Test Center staff.In 2003, Frank was named Technology Editor of CRN. In that capacity, he ensured that CRN maintained a clearer focus on technology and increased the integration of the Test Center's review content into both CRN's print and web properties. He also contributed to Netseminar's, hosted sessions at CMP's Xchange Channel trade shows and helped to develop new methods of content delivery, Such as CRN-TV.In September of 2004, Frank became the Director of the CRN Test Center and was charged with increasing the Test Center's contributions to CMP's Channel Web online presence and CMP's latest monthly publication, Digital Connect, a magazine geared towards the home integrator. He also continued to contribute to CMP's Netseminar series, Xchange events, industry conferences and CRN-TV.In January of 2007, CMP Launched CRNtech, a monthly publication focused on technology for the channel, with a mailed audience of 70,000 qualified readers. Frank was instrumental in the development and design of CRNTech and was the editorial director of the publication as well as its primary contributor. He also maintained the edit calendar, and hosted quarterly CRNTech Live events.In June 2007, Frank was named Senior Technology Analyst and became responsible for the technical focus and edit calendars of all the Channel Group's publications, including CRN, CRNTech, and VARBusiness, along with the Channel Group's specialized publications Solutions Inc., Government VAR, TechBuilder and various custom publications. Frank joined Ziff Davis Enterprise in September of 2007 and focuses on creating editorial content geared towards the purveyors of Information Technology products and services. Frank writes comparative reviews, channel analysis pieces and participates in many of Ziff Davis Enterprise's tradeshows and webinars. He has received several awards for his writing and editing, including back to back best review of the year awards, and a president's award for CRN-TV. Frank speaks at many industry conferences, is a contributor to several IT Books, holds several records for online hits and has several industry certifications, including Novell's CNE, Microsoft's MCP.Frank can be reached at frank.ohlhorst@ziffdavisenterprise.com