IT was ready for a conficker attack
- 07 April, 2009 07:14
An expected April 1 activation of the Conficker.c worm passed without incident, calming widespread fears that the Internet was in danger of attack.
In the days prior to April 1 -- the date that the worm was supposed to get instructions from its unknown creators -- IT security managers acknowledged that they were concerned but said they were confident that their teams could deal with an attack.
For the most part, companies patched the vulnerability that the worm exploits and updated anti-malware and intrusion-detection software to protect against the threat.
Matt Kesner, chief technology officer at Fenwick & West LLP, said the San Francisco-based law firm took the Conficker.c threat more seriously than most other viruses and worms because security analysts had said it is unusually well-written and is programmed to quickly respond to security countermeasures.
Conficker.c is the third version of a Windows bug, also known as Downadup, that first surfaced in Windows-based PCs last November. In January, a second variant of the worm infected many more PCs. Conficker.c surfaced last month and quickly caused significant concern because of its ability to "armor and harden the existing infections," said Vincent Weafer, vice president of Symantec Corp.'s security response group.
The latest version, which also includes mechanisms for evading detection, was hard-coded to start contacting its command-and control-servers on April 1, presumably to receive instructions on what to do next. Toralv Dirro, a security strategist at McAfee Inc.'s Avert Labs in Germany, noted that the worm did reach out last Wednesday, but "so far, none of the servers they are trying to reach are serving any new malware or any new commands."
No one is sure how many PCs have been infected by the worm's three versions, though estimates range from 1 million to 12 million.
The mystery surrounding the April 1 instructions -- along with a March 29 story on the television news program 60 Minutes about a possible Conficker attack -- attracted the interest of corporate executives.
"The 60 Minutes segment certainly has caused CIOs to ask about Conficker," said John Pescatore, an analyst at Gartner Inc. "It is just like the old Slammer-Blaster days," he added, referring to a mass worm that hit the Internet several years ago.
Jim Kirby, director of information infrastructure at Dataware Services LLC in Sioux Falls, S.D., said that, despite the hype surrounding Conficker, he was not overly concerned that it would cause problems on April 1. "We have a strong system-update policy and feel largely immune from infection. Close the doors properly, and you don't have to worry so much about the malware of the day," he added.
The information security group for Arlington County, Va., used its emergency alerting system to notify constituents of the threat. In addition, "we've used e-news briefs to educate our employees with regard to the relatively simple means by which they can ensure their home PCs are not infected with this particular malware," said David Jordan, the county's chief information security officer.
Nonetheless, Jordan said he was confident that the county could stave off an attack by the worm. "We have excellent [antivirus tools], firewalls and analytical tools. We are a mature practice here in dealing with these kind of things. Our network engineers treat every day as if they were going to see a zero-day incident."
David Marcus, security research manager at McAfee Avert Labs, said that despite all the publicity, the Conficker worm is really no different from other malware except for the degree to which it is being "actively maintained" by its creators.
"Functionality-wise, I don't think it presents any new challenge," he said. "It's a pretty wily piece of software," but one that can be managed like other threats. Gregg Keizer and the IDG News Service's
Sumner Lemon contributed to this story.