The Conficker Worm is like the Paris Hilton of computer security: Famous solely for being famous. Neither has actually ever done anything of note. But, at least Paris has a sense of humor about her celebrity. Conficker just wastes people's time.
Your time and mine, for example. You're reading this because someone--not me--convinced you that Conficker matters. I am writing this because IBM has convinced me that Conficker is a wash. If it turns out differently, I'll owe the worm at apology. Paris can fend for herself.
I may host a daily call-in radio program, but I am not a conspiracy nut. Still, don't you sometimes wonder who is responsible for "threats" that develop such a high profile? I am not saying the industry that protects us against these threats might somehow be in cahoots with the people who create them. No, I am not saying that.
Conficker has once again reminded us that our systems are vulnerable and we need to invest $$$ in protection. Or has it already backfired?
Maybe Conficker will prove that what we already have works pretty well. Maybe Microsoft did a good job dealing with this threat and the anti-malware vendors likewise. Maybe Conficker will send the message that what we are doing is just fine, thank you. Spend more money to counter threats like this? Why?
Watching the news coverage as 12:01am local time on April 1 marches around the globe reminds me of the last time we did this. You remember the Y2K bug, don't you?
Back then, the world's mainframes were supposed to croak as 1999 rolled into 2000. Like today, I watched--only back then I was sitting in an emergency operations center--as countries around the global rang in the New Year with their vital infrastructure intact.
Last time, we were saved from a very real problem by a lot of recoding, necessary to work around the time/date problem. This time, we are saved from a not very significant problem by a Microsoft patch that everyone should already have had as well as wide variety of tools capable of clearing Conficker from our systems.
As I write this, Conficker seems to be passing more or less harmlessly by. The clock is actually working in our favor. IBM estimated that Asia has the largest collection of Infected-infected systems. North America about a third as many as Asia. Europe has more than we do.
If Asia and Europe survive Conficker, we don't have much to worry about. Conficker will pass from our consciousness and I won't owe the worm an apology.
If only Paris Hilton were so easy to protect ourselves against.
Wednesday, April 8, 2009
Conficker's Zero Hour Arrives Without Event -- Yet
An expected activation of the Conficker.c worm at midnight on April 1 passed without incident, despite sensationalized fears that the Internet itself might be affected, but security researchers said users aren't out of the woods yet.
"These guys have no designs, I think, on taking down the infrastructure, because that would separate them from their victims," said Paul Ferguson, a threat researcher at antivirus vendor Trend Micro, calling the technology and design of Conficker.c as "pretty much state of the art."
"They want to keep the infrastructure up and in place to make it much harder for good guys to counter and mitigate what they've orchestrated," he said.
The Worm Stirs
Conficker.c was programmed to establish a link from infected host computers with command-and-control servers at midnight GMT on April 1. To reach these control servers, Conficker.c generates a list of 50,000 domain names and then selects 500 domain names to contact. That process has started, researchers said.
Exactly how many computers are infected with Conficker.c is not yet known, but the estimated number of systems infected by all variants of the Conficker worm exceeds 10 million, making this one of the largest botnets ever seen.
While infected computers have started reaching out to command servers as expected, nothing untoward has happened.
"We have observed that Conficker is reaching out, but so far none of the servers they are trying to reach are serving any new malware or any new commands," said Toralv Dirro, a security strategist at McAfee Avert Labs, in Germany.
This may just mean the people who control Conficker are biding their time, waiting for researchers and IT managers to relax their guard and assume the worst is over.
"It would be pretty stupid for the guys running Conficker to use the first possible opportunity, when everybody is very excited about it and looking at it very carefully," Dirro said. "If something was going to happen, it would probably happen in a couple of days."
Detections, Innoculations Increase
Time is not on Conficker's side. The worm can be easily detected and removed by users. For example, if a PC is unable to reach Web sites such as McAfee.com, Microsoft.com, or Trendmicro.com that is an indication that the computer may be infected.
In addition, IT managers can easily spot traffic coming from odd domain names and block access to the computers on their company networks. "The longer criminals wait, the less infected hosts they've got," Dirro said.
Additional help comes from a loose coalition of security vendors and others called the Conficker Working Group, which has banded together to block access to domains that Conficker is trying to communicate with. But it's not immediately clear whether those efforts, which have been successful at blocking earlier versions of the worm, will be effective against the activation of Conficker.c.
"We can't really say how successful the attempts at blocking them or not routing them are," Dirro said. "That's something we'll see when the first domain actually starts serving malware, if at least one starts doing that."
Despite the uneventful passing of the activation deadline, the threat presented by Conficker remains real.
"These guys are very sophisticated, very professional, very determined and very measured in how they implement and make changes to things," Ferguson said, adding that Conficker.c is better defended and more survivable than previous versions of the worm. "This activation on April 1 was probably just arbitrary and picked to cause hysteria."
At some point, the people behind Conficker.c could try to generate revenue from the botnet they've created or they could have other intentions.
"The big mystery is that there's this big loaded gun out there, this network of millions of machines that's under the control of persons unknown," Ferguson said. "They've given no indication of what their motives are other than toying with people."
"These guys have no designs, I think, on taking down the infrastructure, because that would separate them from their victims," said Paul Ferguson, a threat researcher at antivirus vendor Trend Micro, calling the technology and design of Conficker.c as "pretty much state of the art."
"They want to keep the infrastructure up and in place to make it much harder for good guys to counter and mitigate what they've orchestrated," he said.
The Worm Stirs
Conficker.c was programmed to establish a link from infected host computers with command-and-control servers at midnight GMT on April 1. To reach these control servers, Conficker.c generates a list of 50,000 domain names and then selects 500 domain names to contact. That process has started, researchers said.
Exactly how many computers are infected with Conficker.c is not yet known, but the estimated number of systems infected by all variants of the Conficker worm exceeds 10 million, making this one of the largest botnets ever seen.
While infected computers have started reaching out to command servers as expected, nothing untoward has happened.
"We have observed that Conficker is reaching out, but so far none of the servers they are trying to reach are serving any new malware or any new commands," said Toralv Dirro, a security strategist at McAfee Avert Labs, in Germany.
This may just mean the people who control Conficker are biding their time, waiting for researchers and IT managers to relax their guard and assume the worst is over.
"It would be pretty stupid for the guys running Conficker to use the first possible opportunity, when everybody is very excited about it and looking at it very carefully," Dirro said. "If something was going to happen, it would probably happen in a couple of days."
Detections, Innoculations Increase
Time is not on Conficker's side. The worm can be easily detected and removed by users. For example, if a PC is unable to reach Web sites such as McAfee.com, Microsoft.com, or Trendmicro.com that is an indication that the computer may be infected.
In addition, IT managers can easily spot traffic coming from odd domain names and block access to the computers on their company networks. "The longer criminals wait, the less infected hosts they've got," Dirro said.
Additional help comes from a loose coalition of security vendors and others called the Conficker Working Group, which has banded together to block access to domains that Conficker is trying to communicate with. But it's not immediately clear whether those efforts, which have been successful at blocking earlier versions of the worm, will be effective against the activation of Conficker.c.
"We can't really say how successful the attempts at blocking them or not routing them are," Dirro said. "That's something we'll see when the first domain actually starts serving malware, if at least one starts doing that."
Despite the uneventful passing of the activation deadline, the threat presented by Conficker remains real.
"These guys are very sophisticated, very professional, very determined and very measured in how they implement and make changes to things," Ferguson said, adding that Conficker.c is better defended and more survivable than previous versions of the worm. "This activation on April 1 was probably just arbitrary and picked to cause hysteria."
At some point, the people behind Conficker.c could try to generate revenue from the botnet they've created or they could have other intentions.
"The big mystery is that there's this big loaded gun out there, this network of millions of machines that's under the control of persons unknown," Ferguson said. "They've given no indication of what their motives are other than toying with people."
HP Confirms Considering Android in Netbooks
Hewlett-Packard confirmed Tuesday that it is testing Google's Android operating system as a possible alternative to Windows in some of its netbook computers.
Analysts said the move would allow HP to develop a low-cost netbook optimized for wireless networks that provides access to Web-based services such as Google Docs, but others questioned whether the Google software is ready for such a task.
"Right now Android is barely finished for phones," said Avi Greengart, an analyst at Current Analysis. While it works well enough for T-Mobile's G1 smartphone, the software was released only last year and "the UI still feels half-finished," he said.
HP stressed that it was still only testing Android, an OS based on the open-source Linux kernel. It has assigned engineers to the task but has made no decision yet whether to offer Android in products, said HP spokeswoman Marlene Somsak. The news was first reported earlier Tuesday by the Wall Street Journal.
"We want to assess the capability it will have for the computing and communications industry," Somsak said. "We remain open to considering various OS options."
Netbooks are small, low-cost computers that are designed primarily for browsing the Web and doing basic computing tasks. The category has proved popular -- about 10 million netbooks shipped in 2008 and the number is expected to double this year, according to IDC.
Android was designed for mobile phones but has been seen by some others besides HP as a potential OS for netbooks. Some enthusiasts have been testing Android on netbooks such as Asustek's Eee PC, and chip makers such as Qualcomm and Freescale hope to bring Android to netbooks running on their Arm-based chips.
HP may have in mind a netbook optimized for use with Web-based services such as the Google Docs hosted applications suite and Google's online storage service, said Roger Kay, president of Endpoint Technologies Associates.
The fact that notebooks are designed to provide quick access to online services, often over wireless networks, makes them in some ways like oversized smartphones.
There are also no license fees for Android, which could allow hardware makers to offer lower-priced computers than those running Windows. However, consumers have been willing to pay extra in the past for netbooks running Windows, analysts noted.
HP already offers some PCs with a choice of Linux or Windows, and introducing another OS choice would come with some risk, said David Daoud, a research manager at IDC. Some end-users don't like Linux because they are unfamiliar with it, he said.
"We've seen a number of netbooks returned as a result of the Linux OS. Consumers are used to the Microsoft Windows world," Daoud said. Linux adoption remains weak on client computers, especially in mature markets like the U.S. and Western Europe, he noted.
Still, there may be an upside for Android if HP were to make it work in netbooks. HP's heft as the world's largest PC maker would widen Android's use, Daoud said. It could see success in emerging markets like India and China, where Linux adoption is growing.
But HP would need to deliver a consumer-friendly product that makes Linux easier to use in PCs, Daoud said.
Analysts said the move would allow HP to develop a low-cost netbook optimized for wireless networks that provides access to Web-based services such as Google Docs, but others questioned whether the Google software is ready for such a task.
"Right now Android is barely finished for phones," said Avi Greengart, an analyst at Current Analysis. While it works well enough for T-Mobile's G1 smartphone, the software was released only last year and "the UI still feels half-finished," he said.
HP stressed that it was still only testing Android, an OS based on the open-source Linux kernel. It has assigned engineers to the task but has made no decision yet whether to offer Android in products, said HP spokeswoman Marlene Somsak. The news was first reported earlier Tuesday by the Wall Street Journal.
"We want to assess the capability it will have for the computing and communications industry," Somsak said. "We remain open to considering various OS options."
Netbooks are small, low-cost computers that are designed primarily for browsing the Web and doing basic computing tasks. The category has proved popular -- about 10 million netbooks shipped in 2008 and the number is expected to double this year, according to IDC.
Android was designed for mobile phones but has been seen by some others besides HP as a potential OS for netbooks. Some enthusiasts have been testing Android on netbooks such as Asustek's Eee PC, and chip makers such as Qualcomm and Freescale hope to bring Android to netbooks running on their Arm-based chips.
HP may have in mind a netbook optimized for use with Web-based services such as the Google Docs hosted applications suite and Google's online storage service, said Roger Kay, president of Endpoint Technologies Associates.
The fact that notebooks are designed to provide quick access to online services, often over wireless networks, makes them in some ways like oversized smartphones.
There are also no license fees for Android, which could allow hardware makers to offer lower-priced computers than those running Windows. However, consumers have been willing to pay extra in the past for netbooks running Windows, analysts noted.
HP already offers some PCs with a choice of Linux or Windows, and introducing another OS choice would come with some risk, said David Daoud, a research manager at IDC. Some end-users don't like Linux because they are unfamiliar with it, he said.
"We've seen a number of netbooks returned as a result of the Linux OS. Consumers are used to the Microsoft Windows world," Daoud said. Linux adoption remains weak on client computers, especially in mature markets like the U.S. and Western Europe, he noted.
Still, there may be an upside for Android if HP were to make it work in netbooks. HP's heft as the world's largest PC maker would widen Android's use, Daoud said. It could see success in emerging markets like India and China, where Linux adoption is growing.
But HP would need to deliver a consumer-friendly product that makes Linux easier to use in PCs, Daoud said.
Friday, March 27, 2009
Will New Tracker Tools for Your Cell Phone Give You Away?
Cell phone apps like Loopt and the new Google Latitude allow you to track your friends' physical locations, and be tracked in return. That can be a huge boon for meeting up on a Friday night-and a real nightmare for privacy if proper safeguards aren't in place. (Read more on cell phone privacy.)
I checked out both applications. For starters, neither will share your location with anyone until you explicitly agree to such sharing with each individual friend. So you can install either one and see how it looks without divulging where you are.
Also, after inviting a friend to share his or her location, or being invited to do so yourself, you can go back and change the setting to stop sharing your location with a particular friend and continue sharing with others, or stop sharing with anyone.
But what happens if you set up either app to share with friends, and forget about it? Or what if someone else puts it on your phone, without your knowledge, to track you?
In what's usually seen as a limitation, the iPhone doesn't allow running programs in the background--so Loopt can't update your location unless you open the app (Google Latitude, when it becomes available for the iPhone, should work similarly).
But most other cell phone platforms allow background processes to run silently--a potential problem. Within a few days of installing Loopt, however, you'll get an SMS notice so you'll know it's there. Loopt CEO Sam Altman also says that if you don't use Loopt for a while it will automatically stop sharing your location-likely within a week of nonuse. Google Latitude will display a pop-up notification on all phones save Android-based devices (whose users will receive an e-mail, Google says), but it won't automatically shut off.
Google does let you limit sharing to only your city-level location, and in both apps you can enter a (possibly false) location for yourself.
Both Google and Loopt say they do not store historical locations, only your last location. That's important in case someone-the government, say, or a civil litigant-seeks that data. Loopt says it will share that info only under a wiretap or¬¬der. Google hasn't said it will do the same, but it does have a record of fighting government requests for its users' information.
My conclusions? Some things could be improved: First, you should be able to share your location only for a set amount of time-say, the next 2 hours, or from 6 to 9 p.m. on Fridays. Loopt says that ability will come in a future release, but Google isn't planning to announce anything along those lines.
Next, I think Google should have an auto-shutoff after a certain amount of time, in case you become forgetful. And it should explicitly declare it won't share your information without a wiretap order.
Of the two, you might try Loopt (ideally on an iPhone), since it has auto-off and will also come out with time-based controls.
But here's the kicker: As Kevin Bankston of the Electronic Frontier Foundation points out, the safeguards in place are only company policy, not a legal requirement. And policies can change.
I checked out both applications. For starters, neither will share your location with anyone until you explicitly agree to such sharing with each individual friend. So you can install either one and see how it looks without divulging where you are.
Also, after inviting a friend to share his or her location, or being invited to do so yourself, you can go back and change the setting to stop sharing your location with a particular friend and continue sharing with others, or stop sharing with anyone.
But what happens if you set up either app to share with friends, and forget about it? Or what if someone else puts it on your phone, without your knowledge, to track you?
In what's usually seen as a limitation, the iPhone doesn't allow running programs in the background--so Loopt can't update your location unless you open the app (Google Latitude, when it becomes available for the iPhone, should work similarly).
But most other cell phone platforms allow background processes to run silently--a potential problem. Within a few days of installing Loopt, however, you'll get an SMS notice so you'll know it's there. Loopt CEO Sam Altman also says that if you don't use Loopt for a while it will automatically stop sharing your location-likely within a week of nonuse. Google Latitude will display a pop-up notification on all phones save Android-based devices (whose users will receive an e-mail, Google says), but it won't automatically shut off.
Google does let you limit sharing to only your city-level location, and in both apps you can enter a (possibly false) location for yourself.
Both Google and Loopt say they do not store historical locations, only your last location. That's important in case someone-the government, say, or a civil litigant-seeks that data. Loopt says it will share that info only under a wiretap or¬¬der. Google hasn't said it will do the same, but it does have a record of fighting government requests for its users' information.
My conclusions? Some things could be improved: First, you should be able to share your location only for a set amount of time-say, the next 2 hours, or from 6 to 9 p.m. on Fridays. Loopt says that ability will come in a future release, but Google isn't planning to announce anything along those lines.
Next, I think Google should have an auto-shutoff after a certain amount of time, in case you become forgetful. And it should explicitly declare it won't share your information without a wiretap order.
Of the two, you might try Loopt (ideally on an iPhone), since it has auto-off and will also come out with time-based controls.
But here's the kicker: As Kevin Bankston of the Electronic Frontier Foundation points out, the safeguards in place are only company policy, not a legal requirement. And policies can change.
IP Issues Could Be Slowing IBM-Sun Talks, Experts Say
If IBM is in the due diligence phase of acquisition talks with Sun Microsystems, as news reports suggest, then it has an awful lot to be diligent about.
In a merger of this scale, IBM would need to take a hard look not only at Sun's finances but also at any antitrust issues that may arise, as well as potential conflicts related to intellectual property. Those could include compatibility of software licenses and patent agreements with third parties.
"In a deal of this size, there are typically lots of moving parts," said Randall Bowen, an attorney at Grad, Logan and Klewans in Falls Church, Virginia. "Think of a kaleidoscope, where you turn it and everything comes together to form a nice symmetrical shape. Either that happens and everything falls into place, or else it shatters."
The Wall Street Journal reported last Friday that IBM was scouring Sun's business contracts for potential conflicts in a prelude to a possible merger, a process it said was expected to take "a number of days." With another week over and no word about a deal from the companies, some observers are starting to wonder if there's a holdup.
"It's impossible to know what it is they're looking at, but the fact that it's taking this long gives one pause to wonder whether there's just such a volume of contracts to look at that it's occupying all this time, or whether they've found some issues that they're busily chasing down," said Steven Frank, a partner with the law firm Goodwin Procter.
To be sure, the due diligence process for a merger this size could take months to complete. But companies often do a cursory review of the business they hope to acquire in order to announce a preliminary merger agreement. They then take several months before the deal is finalized to pore over the details.
If they do plan to merge, Sun and IBM may simply be haggling over price. But if the due diligence is holding them up, the thorny area of intellectual property could create some sticking points, said Frank, who spoke about IT industry mergers in general and not specifically this one.
Both companies have vast product portfolios governed by a mix of open-source and commercial licenses. They also have numerous patent and cross-licensing deals with third parties, including a byzantine agreement that Sun forged with Microsoft in 2004 that ended a lawsuit between them over the Java software technology.
Sun may be licensing a technology from a third party that is vital to one of its products, for example, and such agreements sometimes have clauses stipulating that the license can't be transferred if the licensee is acquired. IBM would need to approach the third party to extend the license, or decide whether to go ahead with the merger even if it has to find another way to build the product.
That's the issue Intel raised about Advanced Micro Devices' sale of its manufacturing operations to an Abu Dhabi investment group. Intel accused AMD of violating a cross-patent agreement on x86 processors that could not be transferred to a third party, and the companies are in talks with a mediator to resolve the dispute.
Conflicting software licenses can also be a problem. Dozens of Sun's products, including OpenSolaris, NetBeans and its GlassFish Web software, use its Common Development and Distribution License, which is based on the open-source Mozilla Public License. Its MySQL database is offered under the GPL or a Sun commercial license, while still other products use different licenses.
Depending on what IBM has planned for Sun's technologies, the mix of licenses could be a challenge, said Randall Colson, a partner at Haynes and Boone. For example, some industry analysts speculate that IBM wants to merge the best of Solaris into IBM's AIX Unix, which is offered under an IBM commercial license. If Sun has merged a third party's open-source code into Solaris, IBM may find barriers to merging Solaris with its proprietary AIX software.
Perhaps most complex for IBM would be the intricate deal that Sun entered into with Microsoft, which ended a long-standing lawsuit between them over Microsoft's alleged attempts to undermine Java.
The deal netted Sun almost $2 billion from Microsoft, including payments of $700 million for Sun to drop its Java lawsuit, and a further $900 million for a patent-sharing agreement that could be extended for as long as 10 years. IBM, whose software business depends heavily on Java, would need to pull those agreements apart to ensure nothing could interfere with its business or expose it to legal risk from Microsoft.
With reports of the due diligence work only a week old, it would be premature to assume that any talks under way have run into trouble, Bowen said. But the longer they take, the more uncertainty it creates for the customers and investors.
"It's fair to say that with every day that passes, it makes it seem a little less likely that this deal is going to happen," he said.
In a merger of this scale, IBM would need to take a hard look not only at Sun's finances but also at any antitrust issues that may arise, as well as potential conflicts related to intellectual property. Those could include compatibility of software licenses and patent agreements with third parties.
"In a deal of this size, there are typically lots of moving parts," said Randall Bowen, an attorney at Grad, Logan and Klewans in Falls Church, Virginia. "Think of a kaleidoscope, where you turn it and everything comes together to form a nice symmetrical shape. Either that happens and everything falls into place, or else it shatters."
The Wall Street Journal reported last Friday that IBM was scouring Sun's business contracts for potential conflicts in a prelude to a possible merger, a process it said was expected to take "a number of days." With another week over and no word about a deal from the companies, some observers are starting to wonder if there's a holdup.
"It's impossible to know what it is they're looking at, but the fact that it's taking this long gives one pause to wonder whether there's just such a volume of contracts to look at that it's occupying all this time, or whether they've found some issues that they're busily chasing down," said Steven Frank, a partner with the law firm Goodwin Procter.
To be sure, the due diligence process for a merger this size could take months to complete. But companies often do a cursory review of the business they hope to acquire in order to announce a preliminary merger agreement. They then take several months before the deal is finalized to pore over the details.
If they do plan to merge, Sun and IBM may simply be haggling over price. But if the due diligence is holding them up, the thorny area of intellectual property could create some sticking points, said Frank, who spoke about IT industry mergers in general and not specifically this one.
Both companies have vast product portfolios governed by a mix of open-source and commercial licenses. They also have numerous patent and cross-licensing deals with third parties, including a byzantine agreement that Sun forged with Microsoft in 2004 that ended a lawsuit between them over the Java software technology.
Sun may be licensing a technology from a third party that is vital to one of its products, for example, and such agreements sometimes have clauses stipulating that the license can't be transferred if the licensee is acquired. IBM would need to approach the third party to extend the license, or decide whether to go ahead with the merger even if it has to find another way to build the product.
That's the issue Intel raised about Advanced Micro Devices' sale of its manufacturing operations to an Abu Dhabi investment group. Intel accused AMD of violating a cross-patent agreement on x86 processors that could not be transferred to a third party, and the companies are in talks with a mediator to resolve the dispute.
Conflicting software licenses can also be a problem. Dozens of Sun's products, including OpenSolaris, NetBeans and its GlassFish Web software, use its Common Development and Distribution License, which is based on the open-source Mozilla Public License. Its MySQL database is offered under the GPL or a Sun commercial license, while still other products use different licenses.
Depending on what IBM has planned for Sun's technologies, the mix of licenses could be a challenge, said Randall Colson, a partner at Haynes and Boone. For example, some industry analysts speculate that IBM wants to merge the best of Solaris into IBM's AIX Unix, which is offered under an IBM commercial license. If Sun has merged a third party's open-source code into Solaris, IBM may find barriers to merging Solaris with its proprietary AIX software.
Perhaps most complex for IBM would be the intricate deal that Sun entered into with Microsoft, which ended a long-standing lawsuit between them over Microsoft's alleged attempts to undermine Java.
The deal netted Sun almost $2 billion from Microsoft, including payments of $700 million for Sun to drop its Java lawsuit, and a further $900 million for a patent-sharing agreement that could be extended for as long as 10 years. IBM, whose software business depends heavily on Java, would need to pull those agreements apart to ensure nothing could interfere with its business or expose it to legal risk from Microsoft.
With reports of the due diligence work only a week old, it would be premature to assume that any talks under way have run into trouble, Bowen said. But the longer they take, the more uncertainty it creates for the customers and investors.
"It's fair to say that with every day that passes, it makes it seem a little less likely that this deal is going to happen," he said.
Fears of a Conficker Meltdown Greatly Exaggerated
Worries that the notorious Conficker worm will somehow rise up and devastate the Internet on April 1 are misplaced, security experts said Friday.
Conficker is thought to have infected more than 10 million PCs worldwide, and researchers estimate that several million of these machines remain infected. If the criminals who created the network wanted to, they could use this network to launch a very powerful distributed denial of service (DDOS) attack against other computers on the Internet.
April 1 is the day that the worm is set to change the way it updates itself, moving to a system that is much harder to combat, but most security experts say that this will have little effect on most computer users' lives.
Nevertheless, many people are worried, according to Richard Howard, director of iDefense Security Intelligence. "We have been walking customers down from the ledge all day," he said. Often, the problem has been that company executives have read reports of some April 1st incident and then proceed to "get their IT and security staffs spun up," Howard said in an e-mail interview.
That hype will probably intensify when the U.S. TV newsmagazine 60 Minutes airs a report Sunday on Conficker, entitled "The Internet is Infected."
Conficker "could be triggered, maybe on April 1st ... but no one knows whether on April 1st they'll just issue an instruction that says 'Just continue sitting there' or whether it will start stealing our money or creating a spam attack," CBS reporter Lesley Stahl said in a preview interview ahead of the show. "The truth is, nobody knows what it's doing there."
April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.
"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.
The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions.
Security researchers had tried to clamp down on Conficker by blocking criminals from accessing the 250 Internet domains that Conficker was using each day to look for instructions, but starting April 1, the algorithm will generate 50,000 random domains per day -- far too many for researchers to connect with.
Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.
"There is no clear evidence that the Conficker botnet will do anything dramatic," said Andre DiMino, cofounder of The Shadowserver Foundation, a volunteer security group. "It will change its domain usage to the larger pool and may attempt to drop another variant, but so far, that's about it."
"Regular users just need to be sure they are patched and be extra diligent about possible new methods of infection."
Conficker is thought to have infected more than 10 million PCs worldwide, and researchers estimate that several million of these machines remain infected. If the criminals who created the network wanted to, they could use this network to launch a very powerful distributed denial of service (DDOS) attack against other computers on the Internet.
April 1 is the day that the worm is set to change the way it updates itself, moving to a system that is much harder to combat, but most security experts say that this will have little effect on most computer users' lives.
Nevertheless, many people are worried, according to Richard Howard, director of iDefense Security Intelligence. "We have been walking customers down from the ledge all day," he said. Often, the problem has been that company executives have read reports of some April 1st incident and then proceed to "get their IT and security staffs spun up," Howard said in an e-mail interview.
That hype will probably intensify when the U.S. TV newsmagazine 60 Minutes airs a report Sunday on Conficker, entitled "The Internet is Infected."
Conficker "could be triggered, maybe on April 1st ... but no one knows whether on April 1st they'll just issue an instruction that says 'Just continue sitting there' or whether it will start stealing our money or creating a spam attack," CBS reporter Lesley Stahl said in a preview interview ahead of the show. "The truth is, nobody knows what it's doing there."
April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.
"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.
The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions.
Security researchers had tried to clamp down on Conficker by blocking criminals from accessing the 250 Internet domains that Conficker was using each day to look for instructions, but starting April 1, the algorithm will generate 50,000 random domains per day -- far too many for researchers to connect with.
Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.
"There is no clear evidence that the Conficker botnet will do anything dramatic," said Andre DiMino, cofounder of The Shadowserver Foundation, a volunteer security group. "It will change its domain usage to the larger pool and may attempt to drop another variant, but so far, that's about it."
"Regular users just need to be sure they are patched and be extra diligent about possible new methods of infection."
Friday, March 13, 2009
Microsoft Disputes Attempt to Reinstate Class in Vista Suit
Microsoft is disputing an attempt to reinstate class-action status to an ongoing lawsuit against its Windows Vista Capable sticker program, a case that threatens to drag on and is reflective of the difficulties Microsoft has encountered by releasing its disappointing Windows Vista OS.
In court papers filed in a U.S. District Court in Seattle this week, Microsoft asked the court not to reconsider applying class-action status to the suit because people knew exactly which version of Vista they would receive through a coupon program called Express Upgrade Guarantee. The program allowed customers to buy PCs with Windows XP installed on them but then upgrade to Vista when the OS was released.
Microsoft also said that the plaintiffs took too long to ask for a narrowing of the class, even based on "theories known to them for more than a year," according to court papers.
The TechFlash blog Thursday posted a link to a PDF of Microsoft's most recent filing in the case, first brought against the vendor by plaintiff Dianne L. Kelley in April 2007.
Late last month, attorneys in the case asked the court to re-establish class by narrowing the scope of who could participate in the suit. This came a week after the judge in the case granted Microsoft's motion to dismiss the suit's class-action status but allowed it to go forward with six plaintiffs.
Plaintiffs now want the judge to allow the suit to apply to anyone who purchased Windows Vista Capable PCs in Microsoft's Express Upgrade Guarantee program. The Express Upgrade Guarantee program provided coupons to people who purchased Windows Vista Capable PCs so they could upgrade to the appropriate version of Vista either for free or for little cost once the OS was made available.
The overarching claim in the suit is that Microsoft's Windows Vista Capable sticker program, which theoretically let customers know which PCs were capable of running Vista before the OS was made generally available, was an example of deceptive business practices and violated consumer protection laws.
Microsoft's hardware partners began shipping PCs with the "Windows Vista Capable" logo in April 2006. However, the designation was potentially confusing, because a PC with the label was only guaranteed to run the least expensive, most basic version of Vista.
The case is scheduled to go to trial April 13; however, in last month's filing plaintiffs asked that the judge push back the trial date in case class is reinstated to give others time to join the suit. The judge has yet to respond to that filing.
In court papers filed in a U.S. District Court in Seattle this week, Microsoft asked the court not to reconsider applying class-action status to the suit because people knew exactly which version of Vista they would receive through a coupon program called Express Upgrade Guarantee. The program allowed customers to buy PCs with Windows XP installed on them but then upgrade to Vista when the OS was released.
Microsoft also said that the plaintiffs took too long to ask for a narrowing of the class, even based on "theories known to them for more than a year," according to court papers.
The TechFlash blog Thursday posted a link to a PDF of Microsoft's most recent filing in the case, first brought against the vendor by plaintiff Dianne L. Kelley in April 2007.
Late last month, attorneys in the case asked the court to re-establish class by narrowing the scope of who could participate in the suit. This came a week after the judge in the case granted Microsoft's motion to dismiss the suit's class-action status but allowed it to go forward with six plaintiffs.
Plaintiffs now want the judge to allow the suit to apply to anyone who purchased Windows Vista Capable PCs in Microsoft's Express Upgrade Guarantee program. The Express Upgrade Guarantee program provided coupons to people who purchased Windows Vista Capable PCs so they could upgrade to the appropriate version of Vista either for free or for little cost once the OS was made available.
The overarching claim in the suit is that Microsoft's Windows Vista Capable sticker program, which theoretically let customers know which PCs were capable of running Vista before the OS was made generally available, was an example of deceptive business practices and violated consumer protection laws.
Microsoft's hardware partners began shipping PCs with the "Windows Vista Capable" logo in April 2006. However, the designation was potentially confusing, because a PC with the label was only guaranteed to run the least expensive, most basic version of Vista.
The case is scheduled to go to trial April 13; however, in last month's filing plaintiffs asked that the judge push back the trial date in case class is reinstated to give others time to join the suit. The judge has yet to respond to that filing.
Subscribe to:
Posts (Atom)