• United States




This just in: It’s bigger than Conficker

Apr 10, 20094 mins
Data and Information SecurityMalware

The problem is never a particular piece of malware; it's all about your company's culture of computer security defense

I’ve received scores of e-mails the last month from readers wanting to know if they should be worried about Conficker. They’ve been bombarded with daily warnings from vendors and a continuous stream of alerts from the media. The answer is yes, of course you should be concerned about Conficker. But if you have the appropriate patches installed (all you had to do was allow the normal Microsoft patches to apply), good password polices, and autorun disabled, then the risk of attack from Conficker is significantly lower than the risk from other threats. It doesn’t mean you can’t or won’t be attacked, but the risk is significantly reduced.

I had just as many readers asking why Conficker was so big in the media if it didn’t do the damage expected on April 1. First, don’t think most of the security experts expected a huge problem on April 1. The “siren” was set off by vendors who try to sell products and services. Can you blame them? It’s their job to make money. As always, the mainstream media caught the fever and raised the alarm even higher. Secondly, like the Y2K problem, the extreme amount of attention almost guaranteed the damage would not be as bad if left unaddressed.

[ It’s on the Web, and it’s trying to slip through your browser. See “Browser security wars” and Roger’s guide to browser security. ]

But a big part of me wants to laugh. Conficker has supposedly made its way onto tens of millions of computers. That’s no joke — but it pales when you consider that more than half of consumer PCs are currently infected with some sort of malware, usually designed to steal the user’s money. I don’t think I have a single friend or family member that didn’t get hit by one of the fake Antivirus 2008/2009 malware variants this year.

Fake Antivirus is so common that when my friends and family members start to tell me about their computer problems, even before they give me the first verb and adjective, I direct them to some Antivirus 2008 removal links and strongly recommend they just reformat and start over. I know what they are going to say. I’m always sure to tell them, “You got infected because you or someone that uses your computer got tricked into installing something that was malicious.” I then tell them to change any online passwords they used recently and to monitor their credit reports.

I mean, really, it’s a little ridiculous. We are under attack like never before (we’re talking hundreds of millions of infections ) by malicious, organized professionals, criminal hackers whose malware is designed to steal our money and our identities, and I’m supposed to be more worried about Conficker? It’s like being worried about saturated fats in nuts when you’re 40 pounds overweight (like I am). It’s OK to focus on one problem, but you’ll miss the systemic issue and the bigger problems (e.g., I eat too much).

Or how about all the reports yesterday about how the U.S. electrical grid can be taken over by hackers. I want to scream, “Yes, of course! It’s been that way for over a decade.” It’s nothing new. Hackers can essentially take over any Internet-connected computer system or network  any time they choose to make an effort. I make very few exceptions.

Your company’s data can be stolen at will. Our banks, hospitals, and national infrastructures can be owned at any minute. Our networks and systems are rife with exploits just waiting to be taken advantage of. And until we, as a global Internet society, are willing to undertake the hard work (as I’ve discussed in this column many times before) to really fix the Internet, it isn’t going to get any safer.

OK, I’ve repeated mantra again. But should you really be worried about Conficker?

Maybe, but the problem is never a particular piece of malware — it’s your organization’s culture of computer security. If you do a good job overall, then you won’t be as worried about Conficker or the next variant. If Conficker does get your company or computer, then it indicates gaps in your defenses that need to be addressed.

And if you (and your management) are going to worry about generic Conficker infections, fine, but worry more about all those infected or exploitable computers in your environment that you don’t even know about. Conficker we can handle. It’s much harder to deal with the dedicated hacker that wants your company’s information or your money.

So fight the good fight and be vigilant. And remember that the biggest problems in life are loved ones in the ER. The rest is just normal life.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author