Conficker postmortem: Hype distracted but threat is real

April 1 has come and gone and in the minds of many people the Conficker worm turned out to be a joke instead of the major Internet security event that might have been envisioned. Was the hype good, or bad, and who is to blame?
"I'm not sure what to think," said Bruce Schneier, chief security technology officer at BT, who is usually critical or pessimistic. "In a sense, the whole Conficker thing just puts a name on a general problem."
The problem is that there are tons of malicious programs and attacks out there on the Internet every day and people don't do enough to protect their computers, experts say. People need to be vigilant in patching their systems and updating their antivirus and other security software all the time, and not just when there is a virus outbreak. This isn't new at all.
Lots of other worms and botnets are doing real damage, experts say, but Conficker garnered the media attention because it was configured to activate on a certain date. The fact that the date happened to be April Fools' Day only lended to its mystique.
"You need something with a name and a date to make the news. Today, the problem is just as serious, but there's no news," Schneier said.
A member of the Conficker Working Group, a consortium of companies and experts formed to eradicate the worm, had this to say: "The focus on April 1 ignored the fact that malware is out there and it is not detected easily and it has counter measures," said Dave Dittrich, an affiliate researcher at the University of Washington.
People tend to blame the security vendors for hyping viruses so they can sell more products. But in this case, everyone ZDNet Asia's sister site CNET talked to about Conficker downplayed the digital disaster scenario and said things would likely be fairly quiet on April 1, as they were.
Media culpability
That leaves the media. In a spoof on the media frenzy, Wired ran a humorous fake live blog from the "Conficker Worm War Room" and pointed out that "The New York Times called it an 'unthinkable disaster' in the making. CBS's 60 Minutes said the worm could 'disrupt the entire Internet,' and The Guardian warned that it might be a 'deadly threat'."
Surprisingly, Dittrich and others were somewhat forgiving. "Tight deadlines make it hard to get a good story out without the hype taking over," he said. "There was a known deadline of April 1 for some behavior changing, but it wasn't clear what that behavior was going to be."
But just like the boy who cried wolf too many times or Chicken Little after the sky didn't fall, the experts said they worried that conflated expectations that are not met could mean people will ignore legitimate threats in the future.
Simple concepts of good and bad are easy to understand, while complicated issues and relative conditions, which underpin security, aren't. For instance, Dan Kaminsky, director of penetration testing at IOActive, said he often finds himself trying to talk people down off of one of two "ledges" of thinking.
"It's either 'nothing is going to happen', and that's not true, or it's 'the world is coming to an end and computers are going to explode in some technological Ebola equivalent', and that's not true either," he said, echoing comments he made in a post on his blog. "Concern, but not panic, is really the appropriate engineering response to the problems of this nature. But concern doesn't sell nearly as well as panic."
Hype is one thing. Public awareness is another, and if nothing else, all the attention Conficker garnered can be seen as a benefit if it means that more people were prompted to secure their systems.
"When you see your neighbor with a cold, you think about washing your hands," said Chris Wysopal, chief technology officer at Veracode.
"The main lesson is that reactive security is always bad," said Wysopal. "This is the case we're seeing here. Once the botnet is spread it is really difficult to clean up and the command-and-control (aspect) is getting more sophisticated and using sophisticated encryption. Once it is in place it is harder and harder to dismantle and remove."
"I find it a bit discouraging that after SO many years of these dire warnings of a virus/worm that will 'bring the Internet to its knees' that executive management STILL doesn't get the fact they shouldn't be depending on media stories to shape their security program," Carole Fennelly, director of content and documentation at Tenable Network Security and a former security consultant, wrote in an e-mail.
Conficker alive and well
Meanwhile, Conficker remains a menace. The worm spreads through a hole in Windows that Microsoft patched in October and also spreads via removable storage devices and weakly protected network shares.
So, millions of infected computers didn't launch denial-of-service attacks on Web sites or download password-stealing software on Wednesday. But they could have, and they still can at any point in the future. In fact, the risk is greater now because Conficker-infected machines can distribute updates or instructions via encrypted peer-to-peer technology as opposed to communicating to command-and-control servers at domains that registrars have been pro-actively blocking.
"It's not like it's gone," said Kaminsky, who worked with The Honeynet Project on a way to detect infected computers using a flaw in Conficker's code. "We're looking at a massive, amorphous network with a command and control that we don't have the means to block anymore. Things got worse on April 1 for the remaining infected nodes."
And now there is no signal for researchers to watch for with Conficker. This actually makes sense for a botnet because their creators usually tend to operate under the radar so they are not thwarted.
"We believe they decided to do nothing to tip their hand," said Paul Ferguson, an advanced threats researcher at Trend Micro. "But the functionality can be updated at any given point in time. All it takes is a button click on a mouse from the people pulling the strings."
The April 1 date could have been designed to distract people from other activity. For instance, researchers saw updates to existing botnets that also use auto-domain generation, including Mebroot, which is also known as Torpig and Sinowal, according to Ferguson. That Trojan infects Windows computers in "drive-by downloads" as they Web surf and steals bank log-in data and other sensitive data, among other things.
"I'm not saying these are connected, but it sure is funny in a coincidental way," Ferguson said.
So, what's the moral of the Conficker story?
"The moral is there are big worms out there and criminals that do a bunch of things," said Schneier. "One of them happens to have a name and a date."
The Conficker Working Group has a test to if a computer is infected on its Web site and another test is on the University of Bonn Web site.