The news has been full lately with hyperbole regarding the Conficker [1] series of worms. If you believed some pundits, the Internet should have ground to a halt today as millions of infected computers picked up their new instructions for the coming armageddon. What really happened was… not much of anything. But that doesn’t mean the risk is gone…
Like most worms and viruses, the Conficker series of worms relies upon a combination of exploitable software flaws and user error. Also like most worms, the target of all variants of Conficker is Windows. This is primarily for several reasons: firstly, Windows is the most widely used operating system by a huge margin. When you are dealing in small percentages, it makes sense to pick the platform where “small percentages” still means tens of millions of machines. Second, users of Windows include the highest percentage of “naive” or downright ignorant users and malware depends of poor computing habits to propagate. Finally, early versions of Windows were full of atrocious security flaws and design shortcomings.
To avoid Conficker, all you have to do is keep your computer patched up (In Windows XP turn on automatic updates and have them installed weekly) and run an up to date (I.E.: virus signatures no more than a month old) anti-virus program. That’s it, and you will be basically safe from the worm itself, assuming your machine doesn’t already have it. The problem is, just as with driving, no matter how safe you are, your safety can be compromised by all the other ignorant (and in some cases downright stupid) users you share the “road” with. If 99% of the Windows users out there follow those two “simple” good practices I’ve mentioned above, that still leaves as many as 10 million PCs that can be infected by malware like the Conficker worm.
And therein lies the problem: first, a lot fewer than 99% of all Windows users follow good practices. A distressingly high percentage of users actually go out of their way to sabotage all of the automatic update, security, and anti-malware features of the OS. Estimates suggest that as much as 30% of all Windows users still haven’t applied the patch that was released in October of 2008 that would block Conficker’s main infection vector (MS08-067 [2]). Further estimates suggest the total number of computers running some variant of the Conficker worm exceeds ten million, making it the most “infectious” malware this decade.
So what is the big deal if your machine is not infected? Most worms today are designed to turn the infected machines into a controlled “army” or botnet for some sort of purpose. Even a few hundred thousand computers, if centrally coordinated and directed to a specific task, can wreak havoc on the functionality of major parts of the Internet. A few million could temporarily shut down the core of the Internet for hours, even significantly disrupt “normal” operations for days if the worm is capable of being dynamically reconfigured as Conficker is. Conficker is particularly tricksy: its latest variants not only kill running anti-virus software on infected machines, they also reconfigure the host to make it more difficult to download patches and anti-virus software updates. So once you have it, getting rid of it can be beyond the capabilities of the “normal” user.
The risk of your particular computer being infected is the smaller part of the problem, and is something that basic computer health practices can reduce to virtually nil. The real problem is all the millions of *other* users out there who don’t know enough or simply don’t care. Conficker is still out there on several million machines, quietly waiting for instructions to do… something. No one knows exactly what. Even once it is activated, I’m pretty confident that the world won’t come to an end, business will still continue to be conducted on the Internet, websites will still be reachable (although some might not be). And willfully ignorant or naive users will continue to think that patching their machines once a year is “good enough”, and up to date anti-virus software is “too expensive”. The hidden cost of the disruptions, however, will be in the tens of millions of dollars.