I’d like your opinion on whether we need to be doing anything in particular in relation to the Conficker worm. Is it anything you guys are concerning yourself with?
— my former manager in an email
I am honestly surprised at the coverage that the Conficker worm (aka Downadup or a few other names) is receiving.
It is a serious problem, and worthy of attention. So is any other worm. Its original form exploited a brutal vulnerability in Windows, one of those “here, kind sir attacker, I place all my resources at your disposal, please treat me gently” sorts of problems, and it exploited the problem fairly well, generating millions of infections.
But that vulnerability was fixed in October 2008. On our campus it could have been bad; in January I found nearly 200 machines lacking the MS08-67 patch. With some aggressive scanning and network disconnects, we had that number down to a handful of isolated machines by the time MS09-01 came out. We saw 0 Conficker infections, despite security policies and management attitudes that a pessimist would say haven’t changed much after we got absolutely hammered by Code Red and Slammer. Two years ago, Storm was a genuine problem on campus, and every day we get dozens of notifications of one security issue or another.
This is not to say that our experiences with Conficker mirror those of the entire outside world. China’s apparent infection numbers are a full order of magnitude greater than any North American or European country. Brazil and Russia have been vulnerable as well. But the North American press is approaching this as an apocalypse, when the figures just aren’t there to back this up: total US, Canadian, and Mexican infections are less than half of Russia’s.
Worldwide problem? Yes.
Serious issue? Yes. It’s a worm, but one whose spread is mitigated by proper patching.
Problem for my co-workers? Not really. Keep pushing and improving your security policies, and you’ll be all right.
References, in increasing order of technical complexity:
Verizon Business Security
SRI International writeup