The FBI’s head of cyber security, Shawn Henry said last week that Conficker media hype is distracting people from other threats. Henry is only half right in his comments, which he made at a speech at the RSA security conference in San Francisco.

Henry correctly pointed out that there are many other cyber threats out there that also deserve attention, and some of the threats may be bigger than Conficker. Henry praised the idea of public awareness, but said he wanted to see more coverage of the “entire threat vector.”

Conficker became big news, for several reasons: it was the biggest botnet to come along in years, and it ran differently than other botnets. And much of the media attention also came from the April 1 deadline, which was supposed to be the “launch date.” Nothing much happened on April 1 (except for a few April Fools jokes), and so what’s happening now is that we’re seeing a sort of “anti-hype” in some circles that is now downplaying Conficker. This is a dangerous thing. The April 1 deadline was obviously either a ruse, or the perpetrators decided to delay the launch date because of the media attention. Conficker is still with us, and reports are out that it is now coming to life, fulfilling on its promise to transform millions of victims’ PCs into spam-spewing robots.

Was Conficker a “false alarm”? Obviously not. The worst is yet to come–and the media attention served the purpose of getting more people to update their systems and install relevant patches. And there’s very little doubt that Conficker has had a monetary impact already. According to the Cyber Secure Institute, it has already consumed “an extraordinary amount of time and energy.” A cyber Secure Institute blog entry noted that because there was no major event on April 1, “numerous commentators are now downplaying the significance of the worm. This view is misguided.”

Cyber Secure Institute also discusses the overall financial impact of the worm in terms of wasted resources and time–and extrapolating from their previous studies about the average costs of other attacks, the agency estimates the total economic cost of Conficker to be as high as $9.1 billion.

The SANS Internet Storm Center noted that a Conficker outbreak on a college campus has a few lessons for us all. Apparently, the outbreak occurred despite updated patches–the lesson being, patching alone is not going to solve the problems. Before I go on, let me make it clear that keeping up-to-date on patches is always a good idea. The MS08-067 patch that is relative to Conficker should be applied, and anti-virus software should be used and kept up-to-date. However, the lesson we see from this report is that one should never be lulled into a sense of false security, and protection should always be approached on multiple levels.

The fact is, Conficker can propagate through several different methods. In addition to exploiting an unpatched machine, the SANS report notes that Conficker can propagate through removable media, by leveraging the privileges of a logged-in user, or through brute-force attack.

SANS notes that they have not discovered any single virus removal tool that is able to catch all of the payloads dropped by Conficker. Their report issues seven lessons regarding Conficker prevention that bear repeating in this space:

Continue reading More lessons from Conficker

The April Fools Day Conficker scare didn’t amount to much, although that doesn’t mean that Conficker poses no danger. It’s still out there, silently spreading and perhaps collecting information, and may well become one of the biggest botnets ever–so don’t make the mistake of being lulled into a false sense of security because nothing happened on April 1.

What’s perhaps even more alarming is that there are copycats out there. The Neeris worm, which has been around for a while, has been updated to target the same MS08-067 Microsoft flaw that Conficker took advantage of. Like Conficker, Neeris downloads a copy of the worm onto the victim’s machine via HTTP, and then patches the system’s TCP/IP layer. Also like Conficker, Neeris spreads via the autorun function, and it adds an “Open folder to view files” Autoplay option.

Continue reading Conficker copycats starting to appear