Over the weekend I was interviewed by CBC’s Sunday evening news show about Conficker and the possibly grim outlook for PC users everywhere on April 1. Maybe not my best interview, but what bugs me now is that I was just a little too late to provide more detail on how you can tell who’s been infected.
Security researchers on Monday discovered a flaw in Conficker that should help with one of the most important counter-measures to this online threat, which is assessing the scope. When the CBC called and asked how prevalent it was, I said it was millions of PCs. Then I double checked, and it was 2.5 million. Or 10 million. Or maybe only several hundred thousand, depending on how many people had downloaded the patch. It felt vague giving these stats to the TV reporter, and in the end she didn’t really use them. With this flaw, perhaps we can be a little more accurate.
The reporter asked me two other questions I found interesting. She asked whether any good could come out of a situation like this. It didn’t make it on air, but I said yes, there were two things. Any IT security vulnerability is a learning experience, and with Conficker we’re seeing a threat that has had a series of startlingly fast “releases” sent out into the market and tested, as it were, before making new versions. We’re seeing a worm that directly takes aim at file-sharing features in local area networks, and one that spreads physically (like an actual virus) through USB drives. All these things are useful as the industry struggles to prepare itself for even more sophisticated attacks.
I also think Conficker may help reinforce a few security policies that otherwise go ignored. Traditionally worms or viruses come to us via spam e-mail, and the only way companies could prevent them was hope their employees wouldn’t fall prey to the social engineering efforts behind the malware. Conficker has companies looking seriously at user passwords, at the resources needed around patch management and other solid security practices. As the virus writers get more savvy, so should our responses.
The other question the reporter asked me was whether I – or the IT industry at large, was “impressed” by Conficker. I honestly admit the thought hadn’t crossed my mind. I think anyone who’s followed the industry has seen the threats evolve, and probably assumed they would become harder to detect and disable. The rate of infection is considerable, but the actual damage done, so far, has not been on the scale of some lesser viruses, though that could change in a day or two. Can vendors, researchers and IT managers turn this into a non-event? Now that would be impressive.