At the RSA Conference in San Francisco, Bruce Schneier opined on the media sensation that Conficker became. According to Iain Thompson, Schneier said that “it was a classic example of how the mainstream news media misunderstood the threat from malware and used it to make news to the detriment of security…such cases may have helped vendors sell more security products but in some ways they made the situation worse, since people became inured to virus stories and this might lead them to ignore future warnings.” Here is a case where the old excuse “if it raises awareness, it must be a good thing” is wearing thin. At the same time, Conficker is in the wild, it is sophisticated code and actively run by an experienced group, and it is more than just an enterprise issue. So let’s not completely ignore it, and continue to keep a level head about the threat.
This past week, the ThreatFire community stopped a slew of autorun-launched malicious Conficker code from users’ removable drives:
c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
These are consumer PCs, and these Conficker/Downadup attacks continue to be real usb-stick based attacks on users’ systems. Please continue using a layered security approach, including a behavioral based solution for the times when you don’t patch immediately or there just isn’t a patch for a vulnerability, be sure to patch your system when patches/updates are released, and practice safe use of removable storage (network and usb-based).
Conficker autorun-based attacks made up a little less than 10% of the autorun-based attacks in April within the ThreatFire community. The other 90% of autorun based malware continues to thrive by abusing misunderstood autorun features, like Virut, Almanahe or SillyFDC, Dizan or Texel (also called Sality), W32.Whybo, W32.Rajump and a variety of Autorun worms that are dropping password stealers and keyloggers on victim machines. While the family names provided by Av scanners often are inaccurate or provide little information about the functionality of what was stopped, they are worms and they are real threats. In real terms, these worms are every bit as impactful on a system as the active Conficker threat.