CNN reported that there a new sleeper virus out there. http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

There is nothing sleepy about the Conficker worm, it is wide awake and looking for people who are asleep at the security wheel.

CNN reports that Conficker could allow hackers to steal personal and financial data, and they also report that it “it is not very serious in terms of what it does. So far it doesn't try to steal personal information or credit card details.”

Huh? Ok, I’ll follow suit… Conficker could allow hackers to rig elections and shut down critical power and communications infrastructure, but it doesn’t.

What Conficker could allow hackers to do is truly as irrelevant as it gets. The conditions that allow Conficker to spread mean that any semi-skilled hacker or malware author can do the same and much worse with complete and total impunity.

Conficker was one of the first worms to exploit a fairly recent and serious security vulnerability in Windows (MS08-067). Conficker doesn’t stop there though, it also is able to guess passwords set by people who do not understand security (think Twitter admin). Yes, Conficker can guess weak passwords. Conficker also exploits autorun, a vulnerability that Microsoft should have patched a long time ago, but MS insists that auto-infection is a feature. Companies that make digital photo frames, MP3 players, GPS systems, and other assorted USB devices have really embraced the auto-infect technology too!!!

To Microsoft’s credit, most of the infections are coming from the corporate space. Why is this to Microsoft’s credit? Because it means that Windows Update is working pretty well in homes, where it is usually allowed to work.

For businesses this is a dismal finding. This means that standard security basics are not being enforced. There is really sobering news here. Perhaps businesses are not investing in security. An IT person needs some budget and time to do his or her job. Maybe businesses do not know how to evaluate competent security professionals to put in charge. “We needed time to test” is not an excuse for not having deployed the patch for MS08-067. If there is a legitimate reason for not having deployed the patch then there are other many other layers of defense that should be in place for protection.

Conficker should be a complete non-story, and actually it is not the story. The real story is that people are still not doing the basics. Keep your systems patched, keep your applications patched, and require and use strong passwords.

Randy Abrams
Director of Technical Education