The Conficker-fed doomsday scenarios fed to us by security vendors and trade press has come and gone without the big disaster. The IT world on April 4 looks a lot like the IT world on March 31. It is almost disappointing, just as a forecasted winter storm that misses the mark – nobody wants to see property damaged, but a good storm is captivating and fun to watch. Conficker, also known as Downadup and Kido, was primed to start seeking its payload using a wider range of domains on April 1. The over-hyped storm has thus far turned into a dud, leaving the security industry looking clueless once again.
The focus leading up to April 1 has been on the details of Conficker, a fascinatingly creative attack. There is much to admire about the attack: the clever ways it uses the Web for command and control, the addition of peer-to-peer protocols and USB devices to propagate, and the overnight establishment of a botnet comprising over 3 million computers that are poised to execute whatever malicious code the attackers choose to disseminate. This was created by a small team without the benefit of QA cycles, customer beta tests, or high-level architecture reviews. Conficker is impressive in how fast it has reached mass-deployment and utterly baffled the security industry.
The day after Conficker's start date, Kaspersky posted "Worm.Win32.Kido Danger: moderate risk". That statement has become a "business is normal" status since we will never see low or no risk levels again. The security business is one to worry about the downside risks of IT, and every once in a while it suffers through the indignities of events like Y2K and Conficker where the reality does not justify the hype. The true Conficker story may well turn into an introspective of the security industry and the opportunities to do better. It will start with hard questions of security vendors and service providers.
- How can we not know what happened? The first three days of Conficker.c have come and gone without disaster, and the security industry does not know why. Perhaps the $250,000 reward sponsored by Microsoft scared off the attackers before they could activate the malware downloaders. Perhaps the coalition of vendors cut off command and control communications with intelligent DNS actions. Perhaps enough consumers upgraded their endpoint security software. Perhaps the attack is not really gone and the attackers just had a professional schedule slip in development of their malicious code. Or perhaps we just got lucky. The point is that an industry north of $30 billion doesn't know. As well, it can't predict disaster nor can it issue an "all clear."
- How can a vulnerability that was patched 6 months ago be leveraged by the widest spread malware in history? Microsoft issued patch MS08-067 in October 2008, and yet 6 months later, Conficker is thriving. The responsibility for a solution needs to be shared between Microsoft, Service Providers and security vendors. With all of the hype and time to prepare, we cannot easily identify computers that are infected. The present scenario is appallingly inept.
- Why does the security vendor response seem so amateurish? Security vendors always seem to have trouble speaking in terms that consumers can understand. Kaspersky suggests opening www.kaspersky.com in your browser and that you'll know you're probably infected if the page does not open (i.e., the consumer figures out if they're infected). Symantec says, "The best way to know if you are infected is to run a good antivirus product." (Think about that – if Symantec's antivirus product was good, why would the computer be infected?). Sophos says, "If you are running Sophos antivirus, you do not need to disable HIPs while you're using the Sophos Conficker Cleanup Tool. Whilst this tool should not conflict with other antivirus products, the nature of the tool means it may be blocked by behavior-based (HIPS) functionality within non-Sophos antivirus solutions." (Again, if I'm running Sophos antivirus why would I need a cleanup tool?) It seems that every endpoint security vendor solves the Conficker problem to sell their product, but really the problem is not solved.
Conficker is still with us. There is no credible researcher that I've talked with who can say the danger has passed and that the botnet will not find a way to download powerful attack code. I better understand Microsoft's foray into security – the attacks leverage Windows vulnerabilities and Microsoft has a responsibility for safe computing. Consumers and enterprises are buying endpoint security suites because they do not have any viable alternatives. While I believe in endpoint security and independent security vendors, I also believe that the present security model is severely broken. The above unanswered questions are embarrassingly basic. There has to be a better way.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.