60 Minutes, Conficker, and April's Fool

On March 29th or thereabouts, CBS' 60 Minutes presented a report titled "The Conficker Worm: What Happens Next?". While malware is a complicated subject, given the venue - an allegedly serious news show like 60 Minutes - one might have expected an objective, accurate portrayal. Instead, the report merges several unrelated threats and discusses them as if they were one, erroneously warns of an impending time bomb set for April 1st, and overall provides the type of malware coverage that causes many in the general public to believe all malware reports are nothing but hype. And it's the type of coverage that makes serious security researchers cringe.

This is indeed unfortunate. The following is provided in an attempt to clear up the confusion and fear that might result from the 60 Minutes broadcast.

Myth: The Conficker worm is delivered via the Web.
Reality: Web delivered malware is a very real threat and compromised websites pose a very real problem. However, Conficker has nothing to do with either. Conficker is a retro-style network worm. It is not delivered via the Web and users won't 'catch it' by visiting a compromised website.

Myth: The Conficker worm may be encountered via Facebook or other social networking sites.
Reality: Koobface is an example of a social networking worm. Conficker should not be confused with Koobface. Conficker is a network worm, not a social networking worm. Likewise, Conficker does not use email or social engineering to spread.

Conficker spreads by exploiting certain vulnerabilities in Windows, as well as spreading via autorun and via weakly protected network shares. For a full discussion of how Conficker spreads and how to prevent it, see the Conficker description.

Myth: The Conficker worm is set to detonate on April 1st.
Reality: The Conficker worm continually polls a subset of domains from a list of about 50,000. A few hundred of these have an update date of April 1st. The vast majority do not. Further, only the less prevalent Conficker variants are using these particular domains. In any event, April 1st has little international significance and implying there is some insidious significance is misleading at best.

Myth: The Conficker worm is designed to steal data and identities.
Reality: It's not exactly known what Conficker is intended to do since to date the worm has done absolutely nothing but spread. The earliest variants tried to connect to a rogue affiliate site, which would imply the intent is for rogue affiliate advertising revenues. However, even this is unproven as the worm has yet to take any action.

Myth: Conficker is exactly the type of threat with which we should be most concerned.
Reality: Conficker is exactly the type of threat with which we should be almost least concerned. Worms like Conficker are easily preventable by keeping security patches up to date, properly disabling autorun, and using strong passwords. These are exactly the types of things any enterprise should be doing on a routine basis. Conficker and worms like it are also very noticeable - so it's hard to imagine not knowing you were infected by it. The real threats - the actual data theft trojans - are much more silent and surreptitious. Those threats siphon your data over a long period of time and pose serious risks to intellectual property and security.