The Confiker Virus hype and measures

Skywing Skywing at valhallalegends.com
Mon Mar 30 13:03:41 CDT 2009


Actually, I can't remember the last cable/DSL ISP that I had seen solicit offers for service that didn't offer some level of free bundled AV.

Most conventional AV software is oriented towards checking files for "badness" before the access is allowed, which doesn't really apply to the ms08-067 infection vector so much - at least, not in my experience with what most AV software does.  That is more the domain of signature-based IPS's.

But I think the real morale of the story is that end users want to see their computer like an every-day person sees a car: as a tool that works to get from A to B, and not what a mechanic would see a car as.  Users don't want to have to deal with the nitty-gritty details of maintenance.  Hence, why automatic updates are a good thing (*if implemented properly) in some cases (i.e. where there's no sysadmin to manage things).  The AV folk have done that for a long time and it's been reasonably well accepted.

- S

-----Original Message-----
From: Stasiniewicz, Adam <stasinia at msoe.edu>
Sent: Monday, March 30, 2009 09:11
To: nanog at nanog.org <nanog at nanog.org>; 'Gadi Evron' <ge at linuxbox.org>; 'Joe Blanchard' <jbfixurpc at gmail.com>
Subject: RE: The Confiker Virus hype and measures


To the main stream media:



Please leave your tin foil hats at the door...





To my fellow NANOGers:



I look at this virus from two perspectives.  First the home computers (and
small businesses without any real IT staff).  And second the larger
organizations with dedicated IT staff.



Home Users: Many will agree that a large percent (>50%) of home computers
are infected with some sort of malware.  Everything from tracking cookies,
to spam drones, to botnet clients.  Home users are often too cheap/lazy to
get antivirus/firewall protections.  And many are scared to get updates from
Microsoft because of some unrealized danger this might pose.



As I see it, the virus is adding at most 9(?) million to the probable 175
million (350/2
<http://en.wikipedia.org/wiki/List_of_countries_by_broadband_users> )
malware infested hosts out there. In fact, it will probably be much less
than that, as the people who are getting infected by this virus, are
probably already affected by other malware.



Everyone Else: If SQL Slammer has taught us anything, it is the importance
of patch management and firewalls.  And the unending stream of new malware
has also taught us the importance of anti-virus software.  With all the
media hype and removal tools being made, there is no good reason any IT shop
should be affected in any meaningful way.  Invariably we will hear the
stories of places that do get affected, but I doubt it will be anything
overly large.



So from a network operational perspective, unless the virus author decides
to launch a DDOS on a single target (and one is either that network or its
upstream) I predict this will have little, if any, effect.





My $0.02,

Adam Stasiniewicz





-----Original Message-----
From: Gadi Evron [mailto:ge at linuxbox.org]
Sent: Monday, March 30, 2009 7:44 AM
To: Joe Blanchard
Cc: nanog at nanog.org
Subject: The Confiker Virus hype and measures



Joe Blanchard wrote:

> Anyone have a copy of this? Would like to analyze it and understand its

> propagation.

>

> Thanks

> -Joe



I'm sure someone sent you a sample by now. As to the malware itself...



I haven't personally been following conficker as I've been busy with

other issues (as much as possible, anyway, with all the hype it's hard

to escape), but I've been asking questions. I can try and speak on the

matter from what I've learned by asking.



Conficker is a real problem, but will the world end on April Fools?



The answer I gather to be the most accurate is:

"The conficker threat will be exactly the same as it is today, on April

1st."



Perhaps putting a date on the threat makes people feel more comfortable.

What if something happens on April 3rd? Whether we would be warned or

not, we'll all likely ignore it if April 1st comes and goes quietly.



As to the unknown, the author's mind, who can really tell what they will

do come the 1st?



But some of the hype I've seen is truly ridiculous. I am sure some of

the protected hosting companies sold quite a bit with their "we defend

against conficker" products.



Is conficker a problem? Yes. Can we potentially face hardship on the

1xt? Yes. Is the rest complete bull? Yes.



      Gadi.





More information about the NANOG mailing list