Conficker hype may have harmed security efforts, FBI cyber chief says

Shawn Henry: Focus on worm's April 1 update may have distracted users from other threats

SAN FRANCISCO — Media hype leading up to the Conficker worm's April 1 update may have distracted computer users from other dangerous security threats, the FBI's cybersecurity chief said here Thursday.

"For the general public to focus [only] on Conficker, I think that is actually a bit of a problem for us as a society," Shawn Henry, assistant director of the FBI's Cyber Division, said in a speech at the RSA security conference. "There are dozens of Conficker-like threats and vulnerabilities out there. While the media stories helped to raise awareness, I think that focusing people on that particular aspect perhaps took away their attention from the overall threat, which is just as great or greater than Conficker itself."

Although nobody knows exactly how many PCs have been infected by Conficker, security researchers agree that the worm has been used to create an unusually large botnet of hacked computers, likely numbering in the millions of machines. And although the April 1 update didn't wreak the havoc that many researchers feared it would, a new variant that bolstered Conficker's defenses against security tools and added the Waledac spam bot appeared a week later.

However, Henry noted that there are many other threats on the Internet, including less-publicized botnets, fake antivirus software and so-called spear-phishing attacks. "Public awareness is wonderful," he said. "But I'd like to see coverage of the entire threat vector."

Conficker has spread, in part, by exploiting a security flaw in Windows that Microsoft Corp. patched last October. So if all the hype convinced users with vulnerable systems to apply the patch and install up-to-date antivirus software, then the media blitz did some good, said Paul Ferguson, a security researcher at Trend Micro Inc. But, he added in an instant message, "it's completely ludicrous to focus just on Conficker — it is just a symptom of a much larger problem."

Conficker gained an unusual amount of attention because it is the largest known worm infection in six years, and because it was programmed to change the method that it uses to look for new instructions from the botnet operators on several predetermined dates.

The April 1 update was the one that caught everybody's attention, because the worm was set to begin using tricker update techniques on that date, thus prompting speculation that the botnet might spring into action in a major way. On the Sunday before April 1, the CBS news program 60 Minutes picked up on the story, and Conficker became a mainstream phenomenon.

When April 1 came and went without an Internet meltdown, a false sense of security may have developed among many computer users, Henry said. He summed up a typical reaction to the hype and the outcome of the Conficker update like this: "I saw it on the news last night and it was supposed to happen today, and it didn't. Therefore, the next time something comes out and there's an advisory, I'm really not going to pay attention because it's not all that important."

If people do start to take security for granted because Conficker failed to destroy the Internet as we know it, that could be a bad thing, Henry added. "I don't want the public to think that there's this one threat and we didn't really see anything [happen], so we're safe," he said.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon