Years-Old Conficker Worm Still a Threat

RedEaredSlider writes "The Conficker worm is still a threat, even though it is more than two years old and nobody has used it in a botnet attack yet. The problem is that so many machines are infected (largely because many don't realize it) and it's such a flexible piece of malware."

The real issue:

[Isaac+Remuant]

The Average User is still a threat in his path to ignore one and all security measures.

Re:The real issue:

[clarkkent09]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

Re:The real issue:

[causality]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

The bar could be raised far higher than it is now without even beginning to approach expertise. That's the part that is often underappreciated.

"Truly secure" in an absolute sense is rarely if ever attained by anyone, and almost never necessary. What you really need to achieve is "unprofitable to compromise". It's security in a relative sense and much more realistic.

I don't really disagree with your assessment of the average quality coming from the software industry. The users are not typically blamed for that, even though they're collectively responsible for creating a market where shoddy quality sells. That responsibility is indirect and spread out among large numbers of people.

The users are more often blamed for not even trying to protect themselves, for not making even a token effort to understand the risks. That decision is more immediate and individual. For this reason average users are often characterized as stupid.

I'm personally more inclined to believe that they could do better if they wanted to. I've seen the mentality many times because there is such an overabundance of examples (and not just in computing). It's not stupidity in the normal sense, though you could call it a kind of stupidity because it tends to act against one's own interests. It's more like an intellectual laziness combined with an entitlement mentality which insists that things like security must always be "someone else's problem" even though it won't be "someone else" who suffers any insecurity.

Like any entitlement mentality it has to have an excuse to function, to seem like a believable position one does not wish to abandon. In this case it's the excluded middle: the notion that users are either drooling idiots or highly skilled experts with no intermediary states. That enables the afflicted to respond to recommendations for how they may improve by becoming offended instead of assessing the feasibility of the suggestion. The intellectual laziness component comes from institutional schooling's lesson that learning is hard and full of toil and cannot be a joyful process of discovery and fascination.

You combine those things and you get a user who is nearly impervious to even the most basic, most easily understood advice especially concerning topics like security. Even when it's in their own interests to listen to it. Even when implementing it would be easier than their current practices. The rest of us get a degraded Internet in the form of spam and DDoS attacks and worse that so many compromised machines facilitate, thanks to network effects.

The case against the mentality of the average user has a solid foundation, primarily because most of them could choose differently.

Re:The real issue:

[1s44c]

The real issue: software industry releases insecure products and blames ordinary users for not being IT security experts which is what it takes to be truly secure.

Microsoft released the insecure product involved. They didn't ask for or get the approval of the whole software industry before doing so.

Re:The real issue:

[1s44c]

"Truly secure" in an absolute sense is rarely if ever attained by anyone, and almost never necessary. What you really need to achieve is "unprofitable to compromise". It's security in a relative sense and much more realistic.

"Truely Secure" is attained by me. I have a windows 2000 server that all the crackers in China and Russia working together could not get into unless they physically took the hardware apart. I simply unplugged the network port.

Re:The real issue:

[hairyfeet]

I'm sorry but that is bullshit. I have to deal with those user 6 days a week and frankly as long as they have control over their box they WILL do whatever they please, security be damned. It is the classic dancing bunnies problem and I don't care which OS you use they WILL blow right through your security measures if they want to see the bunny.

I have had a customer open a password protected zip file with me standing there telling them its a virus "because this was sent to me by my BFF Kim and she wouldn't do that" and if you think Linux or any other OS would do better allow me to submit for your consideration How to write a Linux virus in 5 easy steps using the same social engineering which causes the vast majority of infections on Windows.

Bottom line if the user wants to run it they WILL run it, and the only way to prevent that would be to take away ALL rights to the machine and make it into trusted computing. Now since trusted computing (or treacherous computing as RMS calls it) would take away all rights from the user and kill OSes that allowed the four freedoms dead we simply have to accept the fact that stupid is as stupid does.

Not to say adding security isn't a good idea, I'm personally switching my customers and family to Windows 7 and the file and registry virtualization along with low rights mode in Chromium does safeguard against things that don't require user action like JavaScript exploits and drivebys, but frankly nothing will stop the user actively installing malware if they are so inclined. And I can tell you that at my shop I'd say probably 85%+ of the malware on PCs is installed by the user themselves, either by using social engineering or by offering the user something they desire, such as free porn or software. All the security in the world isn't gonna help if the source of the infection is PEBKAC.

Re:The real issue:

[camperdave]

I raise you one box that doesn't actually have any components inside it. Totally secure, it can't even be hacked with physical access to the machine!

I have an axe that begs to differ.

Nobody should be surprised with that one

[damn_registrars]

The conficker worm exploits vulnerabilities on unpatched windows systems. If we were instead talking about a resurgence of the "iloveyou" virus or something of that nature, that would be a surprise. But conficker - as a worm - finds its own targets and infects on its own. And it will continue to do so as long as the writers of it find new holes to exploit in windows.

Just wait until Microsoft stops releasing security updates for Windows XP, then conficker will really have a chance to run wild.

how novel

[gearloos]

A link to a story ridden with popups about a worm. Cmon /. you can do better.

Re:how novel

[Farmer+Tim]

Cmon /. you can do better.

[citation needed]

If security programs dont get it right ...

[jobst]

of course it still a problem, especially if you read what happened to me this morning....
Our sales directors computer (dell) has real trouble accessing the net (very very slow) whenever he tethers his laptop with his Galaxy S. I have the same laptop and phone but use Fedora14 and tethering gives me real good speed (considering) .... his is Win7 using Trend Micro (included when buying the dell) . When I turn Trend Micro off it performs well, loads the web-pages at the same speed as mine does.

So there would be no surprise to me if a lot of machine run without virus/internet security because those machine become a real hog/snail/whatever .... so users cant be bothered!

China loves Conficker

The college (part of a larger university, but separate for IT purposes) I work at in Beijing has a choice between two different free (Chinese produced) antivirus/antimalware products. The one that detects Conficker is on the computers of the people designated "sysadmins" (discussion for another day as to what qualifies as a sysadmin at this school) and any computer I am required to use as a function of my work (not including my personal notebook, which the admins aren't allowed near). The software that doesn't detect Conficker (or quite a few other 2+ year old baddies, in spite of being "up to date") is on everyone else' computer. As best as I can determine, this is to give the appearance of justifying the positions of the 5 sysadmins needed to support less than 50 computers (not including the lab computers which require minimal support because they suck so badly the students would rather go to an internet cafe to do their work, if they can't afford to use their own computers). Someone let me know when an opening at Tsinghua U. is available.

Re:China loves Conficker

[Kozz]

... this is to give the appearance of justifying the positions of the 5 sysadmins needed to support less than 50 computers (not including the lab computers which require minimal support because they suck so badly the students would rather go to an internet cafe to do their work, if they can't afford to use their own computers). .

I visited China a few years ago. Correct me if I'm wrong, but it certainly seems clear that it's part of the Chinese culture to prevent idle hands (for better or worse). It would seem that it is better to employ numerous individuals who each have possibly inadequate tools rather than a few with exceptional training and/or equipment -- above all, everyone's got a job, even if that job is next to mindless and minuscule, something that would never exist in the west. I get the feeling my karma will take a hit for this comment, though it's not intended to be a statement of superiority by any measure, it's just what I'd observed (and for what it's worth, nearly all the people/places I saw were wonderful).

i confirm this

[decora]

i know someone who works at a huge support center for a certain cellphone carrier. this person has informed me that they spend a good deal of their day telling people to shut off antivirus in order to get their "Modem Cards" (apparently the fashionable name amongst the masses) to work.

Re:If you don't eat poo

[underqualified]

do you also think that this is the greatest layout ever?

Don't forget the anti-virus companies.

[khasim]

They have a vested interest in maintaining the status quo.

Not to mention plain incompetence on their part. Such as McAfee mistaking a core Windows file for a "virus" last year.

WGA/pirated copies of Windows

[jroysdon]

One problem is the low-end users who have systems they have bought from a "friend" which turns out to have a WGA-failing pirated copy of Windows. Windows Updates refused to allow it to be patched, leaving it to sit there waiting to be infested.

What Windows needs to do with WGA is give a grace period (60 days?) and warned if you do not get this copy legally licensed within X days then it will stop working (just like beta demo copies). After that time, have it just start up, explain the error and shut back down after 60 seconds. Not popular, but it would keep the bad machines offline. It would force the users to either get legit Windows installs which would have patch support, and/or they'd move to Linux which would also have patch support.

Re:WGA/pirated copies of Windows

One problem is the low-end users who have systems they have bought from a "friend" which turns out to have a WGA-failing pirated copy of Windows. Windows Updates refused to allow it to be patched, leaving it to sit there waiting to be infested.

Bzzt, Wrong.
WGA only prevents optional updates being installed not security patches. (It only prevents installing Internet Explorer 7/8/9, Windows Media Player 10/11, etc). Microsoft knew that would be stupid from the beginning so they never tried it.

They did toy with the idea of preventing Service Pack 3 from installing without WGA [but not the individual patches themselves] but I don't think they went through with that due to the outrage from the security community about how that would harm everyone else not just the person who couldn't install it.

Re:WGA/pirated copies of Windows

[FreelanceWizard]

This is not true.

"The Automatic Updates feature is not affected by the WGA validation check. Therefore, you can use the Automatic Updates feature to make sure that you receive critical Windows updates."

Only some updates are marked as "genuine only," and this doesn't include security updates (which are all critical).

Re:WGA/pirated copies of Windows

[antdude]

You can still get critical updates through XP's Automatic Updates.