Monday, March 23, 2009

Conficker: Fact or Fiction

The web-o-sphere is abuzz with news that Conficker.C (a.k.a. Downadup.C) is preparing to implement its new update scheme on April 1, or as one article so sensationally put it, "No Joke - Conficker Worm set to explode on April Fool's Day!" All the trolls are out, and it's clear that there's a generally poor understanding of the issue out there. This post is an attempt on my part to correct some of the myths, to the best of my ability. Comments are appreciated.

Fiction: This is easy to fix! Take down the command and control machine and/or infiltrate the botnet and upload self-destruct code and/or create a white hat worm to repair infections!

1. There IS no C&C. Updates are propagated through a (newly) robust P2P mechanism. It does rely upon communicating with a predetermined domain name generated by date. Until revision C, this was a list of 250 domains per day, which were eventually prevented from being used by the good guys. Unfortunately, the newest update expands the space to 50,000 domain names per day, which is effectively logistically impossible to control.
2. Infected hosts will not execute arbitrary code. All updates are digitally signed with a key known only to the authors.
3. That's worked real well before. The idea is generally agreed to be ethically ambiguous, of dubious effectiveness, and most definitely illegal.

Fiction: April 1 we are all doomed!

Fact: Shades of Michelangelo! The fact is that the Conficker botnet does have the potential to cause some pretty severe damage on April 1. The more likely scenario, though, is that if it does anything at all on that date, it'll be another update that provides it with additional functionality. The end is (probably) not near. In the long run, this system is more likely to be used for blackhat money-making activites rather than some Internet-ending attack. I don't mean to minimize the damage potential, but I don't think it's time to panic and unplug everything from the network on April 1.

Fiction: Buy a Mac (Linux, BSD, Commodore 64, etc.)

Fact: It seems like the smug, self-satisfied Mac and Linux users can't hit the keys fast enough on this one. Ok, so the fact is that this particular malware does not target any non-Windows OS. This in no way proves the numerous comments that Mac and Linux systems are virus-immune. Market share is the key here. There's no real gain to be had by a malware author who infects some small percentage of what's already a small percentage of installed user base. If there's one thing NOT to take out of this, it's that "Macs are more secure."

Fiction: This seems bad. I am worried about my own computer.

Fact: If you're aware that Conficker exists, you're probably adequately protected. It would be a rare case where a regularly-updated system with working antivirus would be a victim of this malware. The systems being compromised are probably not yours. Sure, definitely check for it. But you should be worrying a lot more about the threat FROM other people's computers.

To close out, the fact is that whoever is behind this monster has proven to be very technically competent and pretty well on top of their game. Fact is, nobody really knows what they are up to. I don't think there's any cause for panic, but the Conficker botnet is essentially an incredibly powerful illegal supercomputer, and very well could be used to cause some serious damage. It's important to be diligent while keeping perspective.

Friday, March 20, 2009