Security experts are giving out mixed signals about the significance of the Conficker worm that has supposedly infected as many as 3.5 million end points.
Speaking at this week’s RSA Security industry fair and cyber security talkfest, Shawn Henry, assistant director of the FBI’s Cyber Division said that the hype over Conficker may well only distract attention from the overall threat of malware.
“Public awareness is wonderful but I’d like to see coverage of the entire threat vector,” Henry is reported as saying. I don’t want the public to think that there’s this one threat and we didn’t really see anything so we’re safe.”
Preparedness against the worm has become such a big issue, that the malware threat has its own working party.
The Conficker Working Group (CWG) has been set up to track the number of Conficker hosts and to plan a coordinated, global approach to combating the worm.
So far it has logged over 136 million HTTP requests with 3.5 million unique IP addresses being infected.
CWG explains that the Conficker worm, which had been expected to trigger on April 1st, spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
It receives further instructions by connecting to a server or peer and receiving a binary update.
The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Bruce Schneier, the internationally renowned security technologist, commented yesterday in his blog, “Conficker’s 1 April deadline was precisely the sort of event humans tend to overreact to. It’s a specific threat, which convinces us that it’s credible. It’s a specific date, which focuses our fear. The huge, menacing build-up and then nothing is a good case study on how we think about risks.”
Cyber Secure Institute, a newcomer on the scene, reckons the potential cost of the Conficker worm could exceed $9 billion.
Rob Housman, the Executive Director of the CSI, released this statement concerning the Conficker worm controversy.
“Because there was no major Conficker-created problems on April 1st when hijacked computers went online and began communicating with controller domains, numerous commentators are now downplaying the significance of the Conficker problem. This conclusion is wildly off base and patently flawed. In short, just because the other guy in a fight doesn’t pull the trigger when he’s got the gun to your head, doesn’t mean you won the fight.
It is important to look at the totality of the Conficker problem. Whether or not Conficker ultimately turns out to be a sales tool for bogus Ukrainian security software or something much more destructive, the simple fact is that the Conficker worm has infected vast numbers of computers around the world. And, it has shown the ongoing vulnerability of IT systems and networks.”
Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion, the CSI said.
Earlier this week at the RSA conference, Symantec Corp said that it had worked with worm scanner specialist Ron Bowes to develop a system that will detect machines infected with variants of the worm and have updated a free Conficker detection tool.
