Mainstream media hype leading up to the Conficker worm’s April 1 software update may have distracted people from legitimate cyber threats, the U.S. Federal Bureau of Investigation’s head of cyber security said Thursday.
“For the general public to focus on Conficker—that’s the threat they’re worried about—I think that is actually a bit of a problem for us as a society,” said Shawn Henry, assistant director of the FBI’s Cyber Division, speaking at the RSA security conference in San Francisco Thursday. “There are dozens of Conficker-like threats and vulnerabilities out there.... while the media stories helped to raise awareness, I think that focusing people on that particular aspect, perhaps took away their attention from the overall threat, which is just as great or greater than Conficker itself.”
Although nobody knows the worm-network’s exact size, security researchers agree that Conficker is an unusually large “botnet” of hacked computers, perhaps numbering as many as 4 million machines.
However, there are many other threats on the Internet, including other, less-publicized botnet networks, fake antivirus software, and targeted “spear-phishing” attacks.
“Public awareness is wonderful,” Henry said, “but I’d like to see coverage of the entire threat vector.”
Conficker spread, in part, by exploiting a previously patched bug in Microsoft Windows. So if all the Conficker hype helped people patch their computers and get up-to-date antivirus software, then it did some good, according to Paul Ferguson a researcher with Trend Micro. However, he added, “it’s completely ludicrous to focus just on Conficker—it is just a symptom of a much larger problem,’ he said via instant message.
Conficker gained an unusual amount of attention because it was the largest worm infection in six years, and because it had been preprogrammed to change the way it looked for instructions on the Internet on several predetermined dates.
Its April 1 update was the one that caught everybody’s attention, because the worm began using very tricky update techniques on that date, precipitating speculation that the network might somehow spring to life and wreak havoc with that update.
A few days before April 1, the CBS news program 60 Minutes picked up on the story, and the Conficker became a mainstream phenomenon.
When April 1 came and went without any type of Internet meltdown, that may have created a false sense of security amongst consumers, Henry said. He summed up a typical reaction to the hype in this fashion: “I saw on the news last night and it was supposed to happen today and it didn’t. Therefore, the next time something comes out and there's an advisory I’m really not going to pay attention because it’s not all that important.’
But computer security is important. And if people were to gain a false sense of security because Conficker failed to destroy the Internet, that could be a bad thing.
“I don’t want the public to think that there's this one threat and we didn’t really see anything so we’re safe,” Henry said.