Conficker, aka Downadup, is a worm that grew to prominence thanks to the vulnerability patched in MS08-067 last October. It’s getting widespread popularity in the media these days and deservedly so; a large botnet is always a source of concern and I wish the media paid more attention to the risks/dangers of malware and the people/organizations behind the criminal activity. But all this April 1st talk…is it hype? I’ve had at least a dozen people ask me, “are you ready for April 1st?” Um…yes.
Yes, Conficker is going to “do something” on April 1st. But if anyone in the mainstream media were to stop and think or at the least ask an insightful question instead of latching on to the latest doom and gloom theme of the day and driving it over the cliff, they might be telling a different story than the one you’re hearing from the various media outlets.
For starters, I recommend F-Secure’s wonderful Questions and Answers: Conficker and April 1st. In a nutshell, computers infected with Conficker.C (a variant of the original worm) are going to “update” themselves. All we know is that it’s going to up the ante from phoning home to a batch of 250 domains a day to 500 out of 50,000 a day, making it much harder to disrupt the phone home communications (which is how infections like this get their updates and commands for actions to perform). But since that’s all we know, that leaves a lot of room for conjecture and imagination.
So let’s think rationally for a minute. The people/organization behind Conficker are VERY sophisticated, highly proficient and professional. We aren’t dealing with a couple kids with a grudge here. The landscape has changed, but mass media doesn’t seem to realize it. The business models that cybercriminals apply these days are inline with modern corporate structures. There are board of directors, hiring managers, developers and sales. What do they sell? Why that would be access to your infected PC. Once infected by a bot your computer is there to do the attacker/owners bidding. If they need processing power to crack a password, they can use your PC. If they want to launch other attacks, they can use your computer. If they are bored and want to watch you on your webcam, they can. More and more these days, botnet rentals have become yet another business model.
Imagine you have a business. You have 2 million customers but if anyone finds out who your customers are you’ll risk losing their business. On April 1st you can sign those customers up to a contract extension. Why would you risk doing anything that would cause you to lose those customers?
I’m not buying it. The press wants you to think all hell is going to break loose because it sells papers. But there’s nothing about this worm that indicates it’s creators are stupid. Why on April 1st when they are deploying an update that is going to ensure their botnet stays strong for months to come would they risk losing it all at the same time. It doesn’t add up. Yes, there are stupid criminals. But these criminals are smarter than the mainstream media.
The effect of the media’s attention is dangerous and misplaced. Cybercriminals are already taking note of the attention, offering new FakeAV/Rogue malware that pose as Conficker removal tools. But even worse, they’re creating a “boy who cried wolf scenario.” What will the media be saying about Conficker if it just does its updating on April 1st and slips quietly back into cyberspace? I guarantee you there will be more than one news anchor piping a comment about how it obviously wasn’t as big a deal as they thought and shrugging it off. Gee thanks. You just made my job that much harder by lowering the guard.
Cybersecurity isn’t a one-off story every 6 months to a year to fill a news quota or aid a slow news day or to fulfill a producer’s zeal for a doomsday shocker. Accessing the Internet is like walking in a really bad neighborhood at 2 a.m. It’s risky and potentially dangerous; caution, awareness and knowledge are your defenses. That pocket knife in your pocket (aka antivirus software) might help you, but chances are it won’t.
So do us a favor, mainstream media. Use your powers to do good. Keep awareness and understanding of cybercrime on your radar and treat it regularly and consistently. The sky is falling stories only breed skepticism and doubt among users in a world where letting your guard down for one minute can have far more reaching impact than most users would ever expect.
Conficker may do more than just update on April 1st, but I’ll be surprised if it does. I just hope the media doesn’t do more harm than good in their treatment of the results.