Conficker Tools Available, Countdown Hype in Overdrive

When the clock strikes midnight tonight, Conficker.C—the worm on
everyone’s mind for the last week—will phone home for new instructions,
kick into overdrive, steal every piece of data it can find and—if you
believe the hype—destroy the Internet as we know it.

Well, at least that’s what the hype machine would have you believe.
Security vendors and their PR firms have gone into overdrive, using
Conficker as opportunity to hock their wares and services. The level of
static and hyperbole has been so high that one vendor, Symantec, even
went as far as to state that Web surfers looking for information on
Conficker could expose themselves to infection.

Before getting into the hype, let’s dispense with the realities.

The reality is Conficker.C—the anticipated new variant of the worm
first detected in November 2008, is expected to activate, update and
begin infecting a new wave of vulnerable PCs around the world. While
there’s near universal agreement that Conficker is a serious threat,
security experts disagree over the severity or how widespread the
threat will be should the worm active April 1, as predicted.

What makes Conficker potentially dangerous is that variant C is
likely to have nearly 85 percent new code, making it nearly transparent
to conventional pattern-matching anti-virus and malware detection
scanners. And because it will update with new instructions, some
experts believe heuristics engines may have a difficult time
determining its malicious intent.

The Department of Homeland Security has released a tool for detecting the Conficker worm. Additionally, several vendors have released free tools for detecting and removing the worm.

Virus and malware researchers at ICSA Labs, an industry standards
based organization that certifies anti-virus and security software
applications, offers this advice for preventing Conficker infection:

1. First the advice – get all the latest security updates from
Microsoft for your operating system. This is important to do, not just
for this incident but as a regular part of your computing experience.
2. Install and/or update all your security products to their latest
levels and make sure it is working properly.  This could include
anti-virus, anti-spyware, firewall, etc.
3. The Conficker is not going to take over the world on April 1. The
most recent variant is designed to do something on April 1, which most
likely will be to contact one of the 50,000 or so URL’s it creates.
This is the outcome of the best research in the world on this
worm.  No one knows for sure what it will actually do, if
anything.
4. This worm is no more dangerous than any other malware
in-the-wild.  The Conficker stands out because if tries to use USB
devices as a medium for infection.
5. Don’t Panic. If you have updated your operating system and security software you should be safe.

ICSA advice is sage, particularly the part about “don’t panic.” The
world has lived with self-replicating, self-propagating worms for
years. The following is a sampling of some of the statements security
vendors and services have made in their press releases.

>> "Conficker’s DDoS capabilities are a side-effect of its
proliferation and update capabilities. However, Conficker’s author(s)
could weaponize this botnet at any time and launch massive DDoS
attacks. We’ve recently seen the number of domains that Conficker can
attack in a day grow from 250 to 50,000, and Prolexic has taken the
necessary steps to protect its customers from the potential damage that
could occur should one of the targeted domains be theirs."
— Paul Sop, Chief Technology Officer at Prolexic

>> “Personal information is way too valuable to be left on
home and business computers unprotected. It should be digitally
shredded or encrypted, if saved. Identity Finder is unique, affordable
software that prevents identity theft by finding and protecting
sensitive data on PCs – the very data targeted by these attacks!”
— Identity Finder press release following a 60 Minutes report on worms

>>  “The outbreak of the Conficker worm spotlights why
organizations need to keep their AV and Windows patches up to date, and
identify systems that may be compromised.  One of the most
effective methods of preventing damage from malware is to use Network
Access Control (NAC) to ensure compliance, isolate infected systems,
and repair systems as needed.  By keeping endpoints healthy and
authorizing access to the network, NAC can ensure the network is free
of worms like Conficker.”
— Stacey Lum, CEO and CTO of InfoExpress

Not all press releases are designed to put their issuing companies
on the wave of publicity of the Conficker worm. Microsoft, for
instance, didn’t mention any of its products, but rather issued a
$250,000 reward for information about the Conficker author and details
about its collaborative efforts to develop tools to identify and stop
the worm.

For solution providers, Conficker and similar security events are an
opportunity to engage with customers about their security policies and
practices. But the lesson coming from the Conficker wave of hyped
publicity is contain the message to the essentials, work the problems
and vulnerabilities associated with malware. Fear, uncertainty and
doubt (FUD) about potential security threats only leads to uncertainty
about the messages delivered by security vendors and their solution
provider partners.