Security managers concerned but confident about Conficker

'It's a pretty wily piece of software,' but one that can be managed, said one researcher

With uncertainty looming large over what the newest version of the Conficker worm might do starting Wednesday, security managers said they were concerned by the threat but confident about their ability to deal with it.

For the most part, companies that have patched the vulnerability that the worm exploits and updated their antimalware and intrusion-detection software should be adequately protected against the threat, security managers and analysts said. Even so, the amount of hype generated by the worm is pushing some to review their measures once again and tweak them as a precautionary measure.

"We are concerned," said Matt Kesner, chief technology officer at law firm Fenwick & West LLP in San Francisco. He noted that several security analysts think that the worm is extremely well-written and updated to respond to counter security measures.

"This has caused us to take it more seriously than most virus and worm threats," Kesner said. In addition to ensuring that all of its computers have been updated with Microsoft's patch, Fenwick & West has instituted a new procedure to "scan every file download from the Web" to make sure nothing malicious gets past the company's defenses, he said.

The Conficker worm, which previously was also known as the Downadup worm, surfaced last year and has emerged as one of the biggest recent threats, both in terms of the number of PCs it has infected so far and for the sheer publicity it has received.

Though exact numbers are hard to come by, the worm, which takes advantage of a vulnerability in Windows, is so far believed to have infected millions of PCs worldwide even though a patch for the worm has been has been available since last October.

Since first appearing last year, the worm has so far mutated into three different versions, each one more sophisticated than its predecessor.

The latest version, known as Conficker.c, features several measures for evading detection and is programmed to start contacting its command and control servers on April 1, presumably to receive further instructions on what to do next. The mystery surrounding the worm's next move -- and its recent featuring on CBS's 60 Minutes -- has attracted more attention to the worm than is usual.

"The 60 Minutes segment certainly has caused CIOs to ask about Conficker," said John Pescatore, an analyst at Gartner Inc. "It is just like the old Slammer-Blaster days," Pescatore said, referring to the last really big mass worm to hit the Internet.

While the Conficker worm certainly represents a serious threat to enterprise and home PCs, the approaching deadline is not as serious as the media hype would suggest, Pescatore said. "Conficker is not a noisy attack, and it does a good job of hiding itself, he said. "So, some FUD [fear, uncertainty and doubt] has been justified, but the April 1 deadline has been way overhyped."

In a Gartner alert posted today, Pescatore urged companies to ensure that their antivirus tools were updated to detect Conficker infections and to review their URL-blocking and network access control measures so that that they had adopted the "most aggressive" possible short-term stance against the threat.

Jim Kirby, director of information infrastructure at Dataware Services, said that despite the hype surrounding Conficker, he was not overly concerned. "We have a strong system update policy and feel largely immune from infection," Kirby said. "However, that doesn't stop us from a rigorous scanning schedule as well."

Up to now, his company had not turned up any Conficker infections, Kirby said. "Close the doors properly, and you don't have to worry so much about the malware of the day."

Conficker is yet another piece of malware that has highlighted the inadequacies of traditional signature-based antivirus tools, Kirby said. "Conficker is nearly impossible to write a good signature for, but a good behavior-analysis tool, while not necessarily blocking the infection, would certainly prevent it from spreading," he said.

The information security group at Arlington County in Virginia is paying particular attention to this malware, said David Jordan, the county's chief information security officer. An extra effort has been made to alert county constituents of the Conficker threat via the county's emergency alerting system, which has an opt-in cyberalert group, he said.

In addition, Jordan said, "We've used e-news briefs to educate our employees with regard to the relatively simple means by which they can ensure their home PCs are not infected with this particular malware."

At the same time, Jordan expressed optimism that the layered security approach adopted by the county should stand it in good stead against any Conficker infections.

"We are confident that we are in good shape," Jordan said. "We have excellent [antivirus], firewalls and analytical tools. We are a mature practice here in dealing with these kind of things. Our network engineers treat every day as if they were going to see a zero-day incident."

David Marcus, security research manager at McAfee Avert Labs, said that despite all the attention, the Conficker worm was really no different from other malware except for the degree to which it is being "actively maintained" by its creators. "Functionality-wise, I don't think it presents any new challenge [to companies]," Marcus said.

Companies that have applied the Microsoft patch, done a complete systems scan and rebooted their systems should be safe, he said. "It's a pretty wily piece of software," but one that can be managed with measures that most enterprises are familiar with for quite some time now, Marcus said. "April 1 won't be doomsday."

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon