I have to disagree on three points.

First, Conficker does have something relatively unique. A new way of pulling malicous code off of the internet. It automatically generates up to 50,000 urls and then goes through them all at a relatively slow rate (50,000 urls in four hours, once a day). If just a few copies of the virus can grab the malicous code using the URLs, then it will spread quickly using its p2p system.

Secondly, even if Conficker doesn't represent the state of the art viral technology (that would probably be Rutkowska's Blue Pill) it has a number of mature technologies that put together, make it extremely effective. The fact that over 10 million PCs are infected is a testament to that.

Thirdly, because the worm is so widespread, its potential damage is devastating. Its really the potential for damage that catches pop-cultures imagination.

my company became infected with conficker.c at the end of february. what followed was a week of 24-hour days by our technical teams to combat the incredibly slippery virus that mutated and adapted to every move we made.

maybe it is being overblown by the mainstream media, but it is certainly not a trifle to be downplayed. conficker.a may be 5 months old, conficker.c is not - we caught it on day zero via an american greetings ecard email that quickly overtook our email systems and confounded microsoft, mcafee, trend micro, etc. FOR A WEEK.

just keep that in mind, when you treat something so flippantly in the future.

Miztopes, who was the moron that clicked the link in the Hallmark ecard that really wasn't from Hallmark? You make it sound like an email was downloaded and all hell broke loose. That's not how it happens, it happens because some idiot was curious and clicked a link and your company didn't have its Windows updated and didn't have updated protection.

And who was the idiot in the IT department who didn't install the security patches Microsoft starting issuing in October 2008?

It's incredible that misinformation spreads so fast. Conficker might be a slippery worm indeed, but it requires complacent, lax, IT people who provided, through their own carelessness or stupidity, the merry spawning ground where conficker grows.

I'm a mere layperson, so I don't understand how or why the Conficker virus has gotten so much notoriety. From what I understand (from Wikipedia), it depends on an exploit that was fixed by an MS Windows Update that was automatically distributed to computers back in October. If that is the case, how and why are all these computers affected by a virus whose exploit was fixed before the virus achieved prime time? I can understand when Grandma doesn't activate the automatic updates, but in the 60 Minutes segment, they discussed how the CBS networks were plagued by Conficker... What are they paying the IT staff there for?

Is there some vulnerability or method of access that I don't understand? Am I incorrectly led to believe that if I religiously allow Windows to update itself that I am completely safe?

Tiagara -

To categorize IT people as lax or complacent if their systems were infected is erroneous!

I ALWAYS update all of our servers and systems with patches the very day they come out, yet our school was hit with Conficker pretty hard. The antivirus software on our servers updates hourly, our anti-spam/antivirus system updates hourly, and our firewall updates hourly - yet this virus slipped through... not a single antivirus application would remove it. The only success we had with removal was using the Microsoft Malicious Removal Tool in safe-mode.

The updates from my vendors on my firewall, my anti-spam system, and my anti-virus systems were all TOO LATE from the vendors. We were NOT infected due to being lax or complacent!

Our IT department worked around the clock to cure systems and install a better antivirus program on end-user pc's. Our diligence is what kept it from being worse, and our commitment for pulling all-nighters had nearly ALL of our users unaffected by this. I work 60 - 80 hours EVERY week!

Griffin:

OK, not lax or complacent. Just ignorant in this case. The MS patch has been available since October '08. Why didn't you know about it / apply it? That would have prevented all of your panicky repair work.

arghhh:

You've missed a HUGE part of what and how this virus spreads. This virus does NOT solely rely on the now-patched MS08-67 flaw, it has also spread using the PDF flaw that was only recently patched, and much more difficult to deploy, as well as other holes in software. The virus updates itself, spreads itself, and is highly adaptive, and stealthy.

The reporter here is following the IT industry, not the IT Security Industry. When the top professionals in the industry say "This one is different," that means that this virus is F&#(ing different! Yes it's been up-played by the media, yes, a lot of people are more concerned than they should be, but it is not a no-big-deal virus, nor is it the same sort of worm we've seen. Every worm before conficker could be cured by patching the flaw it exploits. Conficker updates itself, finds new holes, and new ways to proliferate. Conficker spreads p2p, AND http, so there is no way to truly block access to clients that have it from updating since there is about 50,000 domains it could possibly update from. Conficker is also the first virus to use reliable code-signing that prevents others from hijacking the network and making it less potent.

Highly-potent, highly-mutating, highly-contagious, highly-stealthy, highly-unpredictable. All of those spell DANGER in a way we've not seen before.

@ScottT:

My understanding is that the spread of the virus still depends on the MS08-67 flaw, it's just the vector that's used to reach the machine to implement the exploit that has changed. In addition to being an attachment in an email, Conficker can now spread using autorun on either USB drives or network shares. But that vector is only the mechanism by which the installer is sent to the target machine - the actual install still depends on the RPC vulnerability patched in MS08-67.

Additionally, Conficker, as I understand it, does not SPREAD using P2P and/or HTTP, it communicates with other infected machines those ways so it can upgrade them to the latest Conficker, and build out an infrastructure of machines that have multiple communication paths. That way, if and when someone sends a signal, there are multiple redundant communications paths the command will follow. This will make it nearly impossible for network administrators to block the commands once a single machine in their network receives it.

One caveat to this: Conficker-C can be spread in this way, but only as an UPGRADE to machines that were already infected with the -A or -B/B++ variants. Previous Conficker variants came equipped with P2P and HTTP servers, and one possible command is "upgrade yourself to this new version". But Conficker-C cannot infect a previously-Conficker-free machine that has patch MS08-67 installed.

If MS08-67/KB958644 had been installed on every XP machine in existence by, say, early December when the "Christmas Cards" started being distributed, Conficker would pretty much be nonexistent today.

Of course, the complete insanity of running every user in a given company as Administrator may also be a factor. (grumble, grumble). But I digress...

@Nate

That would be correct for Conficker.A, however, Conficker.B spreads via Admin shares, and Conficker.C also spreads via USB storage devices, so the virus is no longer constrained to the MS08-67 flaw as a means of spreading. You are correct, about it not spreading via P2P/HTTP, it is merely a method of updating itself. (I believe I meant update, but I'll just say I was wrong and admit defeat there for now.)

Patching the MS08-67 flaw is the first step. Ensuring that your users aren't super admins is the second, hardening your passwords and not using GOD as your PW is the third, and ensuring your company has a solid removable media policy is the last step.

My concern isn't so much what's going to happen on my network, it's what's going to happen with the millions of other computers that are infected. Nobody knows what they're going to do, and I hope for God's sake they don't find a new flaw we don't know about yet.

The debate that has gone on is very interesting! Where can we find the truth of it all?

Is the Conficker plague really the work of a nefarious virus adapting multiple exploits to access computers, overcoming fix after fix? Or is the truth closer to the fact that at the end of the day, despite all the vectors, this virus just boils down to a single vulnerability that was addressed back in Fall 2008?

If it is in fact the latter, the media has really done a poor job of portraying Conficker as the slippery, mutating mastermind product of evil genius. While the techniques appear to be innovative and cutting-edge, the *real* story is the failure and breakdown of IT administration and policy that essentially allowed an old and discovered vulnerability to become exploited nearly half a year later.

@NeoteriX :

Confliker has a lot of noteriety because a lot of people have pirated copies of XP. Pirated copies don't get updates. And other people simply don't turn on updates or configure it so they get to decide when updates occur. Then they never install the update.

Negligence and outright theft.

To put it simply, NeoteriX is right. Without the vulnerability, the virus would have never made it to the big-times. The mere size of the networks it infects is what truly holds it as tremendous, and the April 1st update is what has us all on the edge of our seats.
The mutating part of the virus has yet to find another "exploit" to proliferate, however, it has found social engineering means, as well as poor policy means to reproduce.
The article that Matt wrote was about how the press has done a poor job on covering what is actually happening, and he hits the head on the nail there. My original statement is that Matt also missed the nail as well. The press should cover the story, it is a newsbreaking virus. It is not mutating yet, but has that capability. The fact that it has infected somewhere near 10 million computers makes it the single largest capable botnet (it hasn't turned malicious yet, and it really hasn't accepted any commands except wait for further instructions, and update yourself) by a long shot. Dangerous botnets before were 100,000 or more machines, this thing could be a weapon, and that's why we're all worried, and the news should inform the public, because it is a problem that needs addressed...
The IT administration of most companies address patches as soon as they can, and in some cases it's too late, and some computers go rouge, and fail to update, which can turn into a hell of a problem if you have employees sharing USB keys.

With Conficker, the reality of malware seems to have finally reached critical mass within public awareness. This very well may represent a public turning point.

I have been using small computers as tools since the late 1970s. So far I have not been personally impacted by malware in any serious way.

While I do use some anti-malware products, my primary defense has been to use my own mix and match arrangements - some unix, some linux, some mac, some windows. Some of my equipment is single purpose and seldom exposed to the internet.

I tend not to rely on publicly acclaimed best practices, and I never, never, never use all M$ all the time.

Public awareness does not stop malware. The reality is that no matter how many news stories go out, no matter how many memos I send out, no matter how many times they get bitten on the ass, I still have staff who open an ecard from someone they have never heard of or open an email from a bank they don't frequent and click on a link to fix an account they don't.
The reality is that malware relies on the fact that an alarming number of people who use computers are just to stupid to do so!
Every infection I've had to deal with has been caused by someone doing something incredibly stupid.
And they aren't getting any brighter. It's incredible how many people graduate university with almost no computer skills at all.

I expect we will eventually need a government sponsored license to log on, as well as to operate an internet connection. Until then, closer supervision would seem to be in order. If employees do not have adequate skills to do it safely they shouldn't be using the equipment.

GPDahl,

Ultimately this is true, and it seems like the most virulent of infections/worms are the ones that include "social engineering". The best defenses won't work where the "Problem Exists Between Keyboard And Chair", but to merely admit defeat at this point prematurely removes responsibility from the IT department.

From the perspective of a layperson, it seems like IT policy can be improved to acknowledge and guard against "the lowest common denominator". I'm not aware of what tools exist, but it seems like simple measures like disabling autorun of any devices, removing administrative access from non-critical users, and preventing the execution of downloaded programs would go a long way towards preventing problems like this one. This isn't a personal criticism, but an observation of the problems in IT policy that this virus has brought to light.

@JimH:

I'd like to hope that this particular malware represents a "true realization" on the part of a number of consumers that malware is real and that their computers require a certain amount of maintenance and protection, just like you have to have locks on your car doors and change the oil occasionally.

But the same thing was said, a LOT, when Melissa came out, and each time a piece of malware gets "Paris Hiltoned" there's a certain amount of "yay! Now people will learn to turn on Automatic Updates and actually apply them!" Then the next piece of malware comes out and it turns out that patched machines are not vulnerable, yet there are large reported numbers of infected machines, etc etc etc... And the cycle continues. I don't see any real signs of hope it's ending.

You know, it just occurred to me.

Conficker is one of the most cleverly-written pieces of malware to date. You'd think that, once it started getting press, its authors would start using it immediately. Instead, they keep upgrading it and upgrading it and not using it at all for anything (that we know of, of course!) except to spread itself around.

It's become a media darling, yet its impact has been far less than more pervasive malware that's been around a lot longer and has done far more damage.

Why is that?

Could it be that the authors of Conficker have no real goal in mind for Conficker than to panic people into being aware that threats are out there? Could Microsoft themselves have written something like this to tell people to finally stop disabling Automatic Updates unless they know what the hell they are doing?

Microsoft has their share of blame in the whole debacle, though. Why am I getting yet ANOTHER "Windows Genuine Advantage" "Upgrade" in this month's batch? I bought the damned thing, already. WGA is not, repeat NOT, a "critical update". Pirates simply don't load it, so shoving it off on paying customers only encourages people to disable Automatic Updates as a whole, which makes Microsoft product look slightly worse than it really is.

Of course, that's all just paranoid delusion. The real fact is that Conficker is the first iteration of Skynet, or a new electronic life form that we must immediately declare an endangered species so we can ban virus protection and send millions of dollars to Microsoft to protect its natural habitat, which is crappy computer code.