OPED: Conficker - should you believe the hype?by Steve Ragan - Apr 13 2009, 20:10
The sheer volume of Conficker related news is enough to drive some editors insane. Strictly viewing the Worm from the view of a reporter, tech blogger, or public relations manager, there is so much raw information your head can spin. However, as news of the Worm is pitched, spun, and published, should you the public panic and believe the hype?
F-Secure, early on in the Conficker coverage, reported millions of infected systems. Infrastructure provider OpenDNS said earlier this month that 500,000 of its users have been infected with variant C of Conficker. IBM reported that only 5.8 percent of North American computers were infected. In the same report, IBM added that 44.6 percent of systems in Asia and 31 percent of computers in Europe were infected. However, those numbers were twisted, used to perpetuate the fear that everyone was infected by Conficker and the world will end.
To be fair, neither IBM, F-Secure, nor OpenDNS claimed that people should panic. IBM even made a very clear statement that the numbers they reported were for their clients only and not representative of the overall dynamic of the Internet. Yet, it is interesting to see so many reports using the figures to help back the claim that we are all doomed.
Since January, reporters, bloggers, and editors have been inundated with pitches and snippets of news related to the Worm. While the PR people are only doing their jobs, and without them there would be hardly any news to report, some of the pitches and published materials as a direct result of them took Conficker and made it a malicious application of epic proportions.
Variant C is the largest example of this. In the days leading up to the start of April, Conficker news centered on variant C and the fact that it was going to generate 50,000 domains to choose from when it called out for its next update. This was a serious event for certain, but the headlines and hype leading up to it had some fearful of even going online. Even 60 Minutes got into the game, reporting about the Worm on national TV.
Soon April 1 came and went, and with it came a new news cycle; Conficker was a dud. In a matter of weeks the news centered on Conficker went from coming just shy of the world ending, to it was all for nothing. "All of their work has gone for naught," said Alfred Huger of Symantec, just after the April 1 deadline passed.
Conficker is an example of how information can turn into panic. A research paper kicked off the hype. Suddenly, a new Worm appeared that can do almost anything. The truth is, the code for Conficker is impressive, and worthy of the research that has been published.
However, the hype surrounding this Worm has gotten out of hand. For example, while the variants of Conficker are new, the method of attack the Worm uses and the actual Worm has been online since 2008.
In addition to Conficker, there are other threats to consider. Randy Abrams of ESET pointed out an interesting observation to this in a blog post earlier this month.
“According to ESET’s ThreatSense.Net, by about 2 PM GMT on April 1st, of the top 20 threats encountered by our users in the past 24 hours, four out of five of them were NOT Conficker. About 16.17% of the threats were online game password stealing threats. Another 21.5% were threats that were not Conficker and were trying to use Autorun to infect computers. 9.72% of the threats were something we call Win32/Agent, which tries to steal data from your computer. Yes, 80% of the risk was not Conficker but 99% of the attention was on Conficker. Does that make sense to you? Can you imagine crossing the street and ignoring 4 out of 5 cars? Do you think you’ll live long?”
So why then, has there been a good deal of coverage on this one Worm alone? The answer lies in traffic revenue. All of those press sites cranking out endless Conficker coverage, even The Tech Herald, make money based on traffic. Using this site as a single example, most of the articles that have been doing well are a mix of Conficker news and current events.
However, a decision was made early on not to overhype the Worm. As Security Editor for The Tech Herald my reasoning for limiting the Conficker coverage was that it wouldn’t be fair to the readers, and it would only look like exploitation. So, only standout articles go it alone, and other new information goes into a related existing article as an update. Content is better than clicks. If we posted a new article on every bit of information we have on Conficker, that is all we would report on in the Security section.
With all of this hype, where does that leave the end user?
Protection from Conficker has been around for several months. This is because the Worm exploits a flaw in Windows. Microsoft issued a patch for this, but thanks to patching policies inside businesses and users who fail to update their systems, the Worm spread like wildfire.
If you think you might be infected by Conficker, there are some signs to look for. The first is a seriously slow and sluggish computer. The appearance of ads on the system itself and the lack of ability to visit known security sites is another sign. In addition, your security software might even stop working.
A visual test for infection is located on the Conficker Working Group’s website. If you cannot view two or more of the top row of images displayed in the Conficker Working Group’s page, you are infected.
The Tech Herald has a list of mitigations and removal tools; you can find that information by clicking the link below. Once your system is cleaned, the only way to help prevent other attacks is to continuously update your operating system by using Windows Update. Moreover, you need to pick an anti-Virus solution and maintain it by updating daily.
Should you believe the Conficker hype? The answer is yes and no. Pay attention to the news and stay informed, but try to limit the amount of hype you will believe. Conficker is impressive when you watch its evolution in code, but at the same time the Worm is nasty.
Just remember, Conficker will not signal the end of the world. It makes no sense to protect yourself or your business from Conficker and forget the other threats.
The Tech Herald: Conficker: The Tech Herald’s index of news and information