On the eve of Conficker, anticlimactic predictions aboundThe security community closely will be watching the clock strike midnight tonight, when the much-publicized Conficker worm is set to activate, but there appears little reason for security professionals to lose sleep.
Most researchers agree that Wednesday should be business as usual for IT departments -- and any surprise is more likely to come at the hands of a co-worker's April Fool's prank than some widespread internet attack.
Wednesday is the day when the latest variant of the worm's code is programmed to query 500 domains (from a list of a possible 50,000 domains) for further instructions. But observers believe Conficker-infected computers -- which number in the millions -- likely will receive an updated version of the malware and not be tasked to perform a major spam, distributed denial-of-service or information-stealing assault.
Andrew Hayter, anti-malcode program manager at ICSA Labs, which certifies anti-virus products, was one expert trying to debunk the hype on Tuesday. He told SCMagazineUS.com that considering the amount of industry collaboration that has gone into learning about the threat, users should be mindful but not worried, especially if their machines are not already corrupted.
"We have to do a wait-and-see but, provided you've taken care of your systems, I think you're fairly safe," he said. "It will not be the end of the internet as we know it tomorrow."
Meanwhile, Mary Landesman, senior security researcher at web security firm ScanSafe, said only machines that are infected with the latest variant of the worm, Conficker.C, are impacted. The most common variant, Conficker.B, is not programmed to "phone home" on Wednesday for instructions.
Here are the latest developments related to the worm:
- The U.S. Department of Homeland Security has released a government-created tool to detect machines infected with the worm. The tool is designed for use by federal agencies, commercial vendors, state and local governments and critical infrastructure operators. The tool can be accessed through the Government Forum of Incident Response and Security Teams Portal or the IT and communications sector Information Sharing and Analysis centers. The tool appears similar to another free offering released Monday by the Honeynet Project.
- Cybercriminals are using search engine optimization tactics to poison results if someone searches the internet for Conficker-related information, according to Symantec. Clicking on the rogue links typically leads to a website trying to persuade users into downloading and paying for fake anti-virus software.
- IBM Internet Security Systems released new details on the geographic scope of Conficker-infected machines. The security arm said nearly 45 percent of compromised machines are located in Asia, 31 percent in Europe, 13.6 percent in South America, 5.8 percent in North America, 3.3 percent in the Middle East and 1.1 percent in Africa
- While the clock officially struck midnight in Asia several hours ago, there have yet to be any major reports of problems, according to the SANS Internet Storm Center, which kept its threat rating at the lowest level of "green" as of 6 p.m. EST. Symantec's ThreatCon rating remains at Level One, or "normal."
- Most security companies and major research firms have backed off on making predictions that the April 1 activation date means any visible impact for end-users. In an analysis, Gartner's John Pescatore said on Monday that Wednesday could bring an increase in network bandwidth use if compromised machines attempt to contact the malicious URLs, but not much more.
- Though Conficker infections have only turned up on Windows machines, Macintosh security vendor Intego said it is closely monitoring the situation. In a memo, the company said its researchers are "on full alert in case a Mac OS X variant of this worm should appear, but, so far, Mac users are in the clear." But the memo cautioned Mac users who run Windows on their machines to be wary of the threat.