Tuesday, March 31, 2009

Conficker, conshmicker...

Being the day before April 1st, news is spreading quickly about the Windows Conficker worm and the potential activation of the worm's payload tomorrow.

What exactly is supposed to happen? I haven't really seen it in articles spreading hype about April 1st's activation. According to Wikipedia, variant C of the worm appears to set up an ad-hoc peer to peer network relying on some form of UDP scanning; perhaps combined with the estimate that 9 to 15 million PC's may be infected would mean that such heavy network traffic will potentially bring many Internet Service Providers to their knees if they don't take measures to reduce the impact of infected customers flooding their backbones.

The sad part is that the fix for this worm has been out since October of 2008. Keep up to date with Windows Updates? You should have been protected a long time ago.

There are fixes available from many vendors. Even Microsoft has a page on removing the infection. A simple Google search for "conficker remove" should give a list of free removers from various antivirus and security firms, or you can go to Wikipedia and look at their summary of information.

Of course, Apple Macintosh owners and Linux users can be smug in the knowledge that they are already uninfected. On the other hand, if they're using their system on a network where a large number of other users are infected, and if the payload of the worm means that it's going to flood the network with requests to peers to pull down a larger infection, good luck doing anything that involves web browsing or email or any other network service. Running a superior operating system in this case doesn't help when no computer is an island on a network.

The sad part is that the fix for this was out before Conficker ever appeared. If a business network is infected with this worm it is a definite sign that the system administrator in charge dropped the ball; what policies do you have in place for updating systems? I've come to expect home users to not update their systems regularly. It's simply not something most users care about...they want to play on Twitter or Facebook and email, not worry about arcane scary things like "Windows Updates."

Car analogies have a rich life in the computer industry...my daughter just got a driver's license and drove to work with a dashboard light on. She casually mentioned that a light was on when she drove in. We asked her which one and she gave a puzzled look, as if I was asking her to read a novel written in Klingon. I asked her if it was on the whole time or if it was just on when she started the car. Again, a puzzled look; it didn't seem to occur to her that she should pay attention to what the car's various doohickeys and blinkeys would be telling her. She just wanted to drive somewhere. Ask computer users about system updates and I usually get a similar look from people despite it seeming pretty clear from the words "Windows"...the word that appears while their computer is booting, the word found in various places on their computer usually,...and "Updates"...what those two words together should mean.

What does this mean? It means that while it's nice that the media is hyping it up so maybe users might be clued in to at least try to check if their system is both up to date and maybe run one of the many free checkers for infection it most likely means the system administrators at bandwidth providers...the ISP's...will have to take measures to limit damage on their end. Upstream providers will no doubt need to work on measures to shut down connections to people who didn't (or won't) fix their systems and maybe scan customer systems for infections or infection traffic. At worst I think there's going to be a few blips where traffic goes black on the Internet, providers will use many colorful metaphors for their customers in those segments causing issues, then cut them off until they decide to clean up their systems and then we'll see a steady flow of background infections for another five years showing up in logfiles of firewalls and scans just as the Slammer worm did...does...from years ago.

People will soon forget, lessons will be forgotten, and system administrators who should have known better will still have nonexistent procedures for monitoring their networks and enforcing updates. Just another day in the Elysium Fields of the Internet.

No comments:

Post a Comment