Home

Apr 1, 2009

April Fools' may be no joke for world's computer users

(CNN) -- Computer experts waited early Wednesday to see what impact -- if any -- the worm known as Conficker.c will have on the world's computers.


"As long as you've patched or at least brought your antivirus software up to speed, you should be fine," said Chris Pirillo, a tech expert for CNN.com.

And there are plenty of anti-virus software packages available.

"I believe just about everybody out there," Pirillo said, "has a removal tool."

Still, the worm can wreak havoc, he said.

Unlike viruses, worms self propagate, spreading by networks. "Once it's out there, it's very difficult to stop," Pirillo said.

He predicted that "the worst possible outcome" would be that some computers would run "suboptimally," as network traffic becomes clogged.

And its ability to do that is cleverly designed: Conficker.c has a feature that disables the Windows update program in the Microsoft product, keeping Windows from becoming patched, Pirillo said. It also disables the auto-update capabilities of many anti-virus software programs.

Pirillo said it may be a week or more before the true impact of the worm is known, but he predicted it will have one.

"It's going to be very annoying to say the least," he said. "It's going to impact network traffic in a big way."
Lawrence Baldwin, the chief forensics officer with mynetwatchman.com, an Internet security site based in Atlanta, said the motivations of Conficker.c designers appear to be different from the motivations of those who designed previous worms, which infected millions of computers but had little impact.

"Three or four or five years ago, they were plainly trying to prove how smart they were," he said. Now, he said, the designers' motivation appears to be financial. "They can make serious amounts of cash with a variety of means."

Still, he predicted, any damage will be limited. "I don't suspect that we're going to have any kind of global meltdown as a result of this thing. I think what we'll see is that the purpose and intent of Conflicker is to deploy a whole plethora of secondary malware -- spam, Trojans, key loggers, distributed denial-of-service attacks, adware, etcetera, etcetera. Basically, all the things that the criminal can make money with."

Widespread media coverage of the threat may have motivated many individuals and corporations to act, possibly minimizing the potential impact.

The FBI said only that it was "aware of the potential threat posed by the Conficker worm" and was working with a range of partners "to fully identify and mitigate the threat."

But just what is that threat? Computer experts acknowledged they don't know for sure. "The biggest question is what is actually going to happen?" said Simit Shah, director of Web operations for CNN.com.

So far, the worm "kind of calls home and says, 'What should I do?'" he said. And so far, the response has been to do nothing, he said.

But on Wednesday, the worm is expected to expand its daily call list from a set list of 250 sites to 500 Web sites chosen at random from 50,000, "so it becomes harder to continue using some of the countermeasures that have worked so far," he said.

The worm "could end up connecting to one of these sites and say, 'Go do something,'" he said. That "something" could wind up being any of a number of different kinds of attacks on any of a number of Web sites, including government ones, he said.

He said the worm already controls more than 10 million computers by some estimates and is very sophisticated. "If someone says, 'I want to try to hack some system and try millions of combinations of Social Security numbers,' they could purchase this computing power to do that," Shah said.

Or, on the other side of the spectrum, "it could be all about ego," he said, noting that the worm authors have played a cat-and-mouse game with security experts since last November, when the first version of the Conficker worm was discovered.

Since then, as countermeasures have been devised and deployed, the worm has morphed into two other versions, each more sophisticated than the previous one.

In February, security experts' efforts to fight back got a boost when Microsoft offered a $250,000 reward to anyone who could catch the worm authors.

That resulted in the formation of Conficker Cabal, a group of security experts trying to combat the worm.

Despite the worm's potential for causing damage, its still-unknown authors have earned "a lot of respect" from the security experts, Shah said.

"These guys are doing stuff you don't normally see done," he said.

One of the first things it does is to disable a computer's automatic updates, he said. In October, Microsoft released a patch to fix this vulnerability, but many computer users have not updated yet. And, "once you get the worm, it disables your ability to update," Shah said.

IBM security expert Holly Stewart said in a telephone interview with CNN that the latest version of Conficker -- Conficker.c, which was discovered less than a month ago -- is different from prior versions in that it is not focused on propagating. Instead, it "is more focused on holding the fort and keeping the communication lines open to its peers."

She said an IBM computer specialist last week reverse-engineered the worm's communications mechanisms and found a way to detect it on the network.

"It's very well constructed," she said about the worm. "Conficker authors spent a lot of time making this chatty network very difficult for intrusion prevention and intrusion detection systems to detect."

The company's security update, deployed late last week to its customers, shows 45 percent of infections occurring in Asia, followed by Europe, with 31 percent, she said.

Still unclear is the impact. "That's the million-dollar question," she said. "To be honest, no one can give an accurate prediction."

But the motivation appears more clear. Someone has spent "a lot of money and resources" creating the worm, she said. "It would surprise me if they did not want to cash in on it in some way."

Shah said he too did not know what would happen, but that the worst-case scenario would be "you could get your computer wiped out and your computer could be part of some kind of criminal enterprise."

For the moment, the worm remains at rest, but, "at some point, it is going to get an instruction to do something."

Steve Santorelli, a former Scotland Yard detective who is now director of global outreach for the Chicago, Illinois-based security research company Team Cymru said the worm authors "have amassed what is the equivalent of a major weapon that could possibly be turned against the Internet. There is lots of speculation, and that speculation leads to fear of the unknown. The only people who really know what Confiker will be used for, if anything, are the criminals behind it. The rest of us are guessing."

News Source : cnn.com

Share/Bookmark

No comments: