Beyond Downadup: Security expert worries about smart phone, TinyURL threats

Don’t get Patrik Runald wrong: the Downadup worm (also called Conficker) has been a big deal.

It’s just that F-Secure’s chief security advisor doesn’t want people overlooking the other 29,999 malware files his company sees a day, or ignoring the prospects of smart phone malware or even threats that exploit the TinyURLs made so popular through social network sites such as Twitter.

“Holes in some of these things would be trivial for the bad guys to exploit once they have the financial incentive to do it,” says Runald, who works out of F-Secure’s San Jose operation.

But first, back to Downadup. Runald claims F-Secure was the first one to really recognize how big a deal this worm was going to be and got the honor of naming it, though others wound up giving it separate monikers, including Kaspersky Lab, which dubbed it Kido. In recent weeks, conflicting reports have surfaced about how big an impact Downadup had on enterprise networks, but Runald emphasizes it made a mess of things. His company talked with IT staffs at hospitals that had “fairly critical infrastructure” affected by the worm. One company had 3,000 accounts shut out by the worm, which locked files so that only the system account could get at them.

Downadup does seem to have leveled off in terms of affected IP addresses per day, currently in the 3 million ballpark whereas it had peaked at somewhere in the 10 million to 15 million range, Runald says. He doesn’t expect the perpetrators to distribute a feared payload either now that all eyes are on the worm.

“I think the person or people behind it got kind of scared that it got as big as it did,” he says. “Distributing the payload now would put too much heat on them.”

Still, Runald says it’s puzzling that the Downadup creator or creators didn’t strike when they could, with access to information on millions of enterprise machines. He says the worm has worked amazingly well considering how multifeatured/complex it is. “Typically we see more bugs in code this complicated,” he says.

Despite the formation of an industry coalition that F-Secure is part of to quash Downadup, and Microsoft’s much publicized $250,000 bounty on the head or heads of the worm’s creators, Runald doesn’t expect the villain or villains will be nabbed. While the bounty can’t hurt, he says the reality is that anyone who could provide information about those behind Downadup probably is deep into cybercrime themselves and wouldn’t want the heat from law enforcement. “$250,000 is not a lot compared to what some of these groups are making,” he says.

Downadup/Conficker has received more mainstream media attention than any such worm since Sasser back in 2004, Runald says. One silver lining is that the coverage could be a wake-up call to consumers (he says enterprises are already pretty well aware of continuing threats). “A lot of consumers think the situation has been getting better, whereas in fact we’ve found 14 million malware samples over the last 12 months, so it’s actually getting far worse.”