View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
April 24, 2009

Confusion over cost, cause and response to Conficker

Experts insist worm represents real threat

By CBR Staff Writer

Security experts are giving out mixed signals about the significance of the Conficker worm that has supposedly infected as many as 3.5 million end points.

Speaking at this week’s RSA Security industry fair and cyber security talkfest, Shawn Henry, assistant director of the FBI’s Cyber Division said that the hype over Conficker may well only distract attention from the overall threat of malware.

“Public awareness is wonderful but I’d like to see coverage of the entire threat vector,” Henry is reported as saying. I don’t want the public to think that there’s this one threat and we didn’t really see anything so we’re safe.”

Preparedness against the worm has become such a big issue, that the malware threat has its own working party. 

The Conficker Working Group (CWG) has been set up to track the number of Conficker hosts and to plan a coordinated, global approach to combating the worm.

So far it has logged over 136 million HTTP requests with 3.5 million unique IP addresses being infected. 

Content from our partners
How to engage in SAP monitoring effectively in an era of volatility
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility

CWG explains that the Conficker worm, which had been expected to trigger on April 1st, spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

It receives further instructions by connecting to a server or peer and receiving a binary update. 

The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.

Bruce Schneier, the internationally renowned security technologist, commented yesterday in his blog, “Conficker’s 1 April deadline was precisely the sort of event humans tend to overreact to. It’s a specific threat, which convinces us that it’s credible. It’s a specific date, which focuses our fear. The huge, menacing build-up and then nothing is a good case study on how we think about risks.”

Cyber Secure Institute, a newcomer on the scene, reckons the potential cost of the Conficker worm could exceed $9 billion.

Rob Housman, the Executive Director of the CSI, released this statement concerning the Conficker worm controversy.

“Because there was no major Conficker-created problems on April 1st when hijacked computers went online and began communicating with controller domains, numerous commentators are now downplaying the significance of the Conficker problem. This conclusion is wildly off base and patently flawed. In short, just because the other guy in a fight doesn’t pull the trigger when he’s got the gun to your head, doesn’t mean you won the fight.

It is important to look at the totality of the Conficker problem. Whether or not Conficker ultimately turns out to be a sales tool for bogus Ukrainian security software or something much more destructive, the simple fact is that the Conficker worm has infected vast numbers of computers around the world. And, it has shown the ongoing vulnerability of IT systems and networks.”

Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion, the CSI said. 

Earlier this week at the RSA conference, Symantec Corp said that it had worked with worm scanner specialist Ron Bowes to develop a system that will detect machines infected with variants of the worm and have updated a free Conficker detection tool.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.