Conficker Worm: Has the Hype Been Worth It?

Unless you’ve been in a cave for the last few weeks you have heard of the Conficker worm. This has been dubbed the “Y2K” of 2009 and as the worm that will take down the Internet. You could not turn on the evening news last night without being warned about this deadly worm. CBS even did a special 60 minutes report on it and Microsoft is offering a $250,000 bounty to anyone who can provide information leading to the arrest of the person(s) responsible. Sounds pretty dangerous, right?

In case you have been living in a cave for the past few weeks, you can read an excellent paper on the Honeynet.org website at https://www.honeynet.org/files/KYE-Conficker.pdf. This paper, written by Felix Leder and Tillmann Werner, details how the worm works as well as software they have developed to detect and remove Conficker. For a briefer, yet equally valuable source, Cisco has information about the worm at http://tools.cisco.com/security/center/viewAlert.x?alertId=17121. For those of you using Cisco’s IPS, you can download a signature file (ID 13491) to detect this worm at http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=13491&signatureSubId=0&softwareVersion=6.0&releaseVersion=S377.

The worm infects computers as a Dynamic Link Library (DLL) and installs itself as a Windows service. It then starts an HTTP server listening on random ports and attempts to download instructions from domain names that are generated by an internal random name generator. The worm is programmed to contact 500 out of 50,000 of these randomly generated web domains today to download instructions. What these instructions are is unclear. Perhaps they are going to steal millions of people's information or launch a large-scale distributed denial of service attack. What is clear, however, is that millions of computers are supposedly infected and that someone, somewhere, has the potential to control them.

I’ve been reading the news articles today and it appears that, so far, little has happened with this worm today. I spoke with a representative at a prominent anti-virus firm who informs me that while they have received calls on this worm today, the calls are far fewer than anticipated. It appears that it is not the doomsday worm that everyone thought. The question must be raised, then, if all the hype is worth it.

On the one hand, the media hype regarding this worm has caused IT staff throughout the world to be aware of the threat and take measures to ensure that their anti-virus software and IPS devices are properly configured and updated to protect against this worm. Users are aware of the threat and, subsequently, are more cautious about downloading files (OK, so this probably isn’t the case, but we can hope, right?). Without the media attention, people may not have taken these steps.

On the other hand, we face the boy-who-cried-wolf syndrome. The more worms like this that we hear about, the more likely that people may disregard it. In my opinion, fear should not be the motivation for increased security, yet much of the media appears to be promoting fear with this worm.

What are your thoughts? Is the hype about Conficker justified?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in