The Agency Insider with Linda McGlasson

Worm To Deliver April Fool's Day Surprise?

Worm To Deliver April Fool's Day Surprise?

This is something that used to really get me going as an information security practitioner. Someone would forward me (and everyone else they knew) an email that had the most dire of warnings - "EMAIL VIRUS WILL WIPE YOUR HARD DRIVE - Do not open !!!"

This email would include everyone on the person's address list -- friends, relatives, coworkers, bowling league, quilting club, (you name it) would be cc'd on the email. It would land in my inbox with almost a perceptible plop amid more important emails from my boss or updates from operations on testing dates and server update times.

The considerate person would add their two cents by adding a comment like, "Joe Smith from my bowling league sent this to me. I wanted to make sure you knew about it and were aware it could happen to you."

My coworkers, also in information security, were usually also cc'd on this email. We all would collectively sigh and one of us would say, "Okay, who is sending the email explanation this time?" We had developed a standard email response to these "Chicken Little" emailing employees. The email would gently and with as much warmth as possible tell them they were wrong to forward an email they didn't confirm as being true. We'd also add a line about use of corporate email and then give them some places to check out the truthfulness of the email claim and how to respond to people that send them emails like that one in the future.

This line of action was great if the email wasn't true. Many of the scariest virus warnings floating around the Internet were just the opposite. These emails are considered a type of urban legend, and the long list of Internet hoaxes had its origins almost at the beginning of the Internet. Virus hoaxes were no different. To see a history of Internet hoaxes and fake virus warnings see www.snopes.com. Anyone (think of your well-meaning cousin/relative) who sends emails about Internet virus warnings should check this site before sending a blast email to everyone they know.

Now comes the hard question: What if the email contains something that is true or at least has some truth to it? An email I got last week was one of those types of emails. A friend sent me a warning about a greeting card/postcard email that I may get on April 1. He warned me not to open anything that had a greeting card/postcard type of attachment, even if it was from someone I knew.

What my friend was referring to was the Conficker C worm, which has been making the headlines in computer tech publications since January, as its known infections topped more than 9 million computers around the globe. Microsoft put a $250,000 bonus on the author's head, and security experts are in a race to find the source or author of the worm before it launches. What is Conficker C's launch date? You guessed it, April Fool's Day -- April 1.

Conficker C is seen by security experts as having some pretty nasty abilities. What the worm is expected to do on April 1 is launch a control code to bring all of the infected computers under the control of a master that is somewhere out on the Internet. After that, all bets are off -- what direction it will take is up to the master machine. Those 9 million plus computers could do anything, steal personal information, wipe clean the hard drives, launch denial of service attacks, or try to sell the owner fake security software.

Security experts and researchers are busy hunting for the worm's origin and author, and are saying it is a clever worm that hides its tracks by using a huge number of URLs to talk to its owner. The first version of the worm used 250 addresses a day, a number easily disabled by researchers and ICANN. But the number Conficker C will use is estimated to be 50,000 addresses a day, a number not easily stopped by disabling individual URLs.

Some advice to institutions and their customers: In the coming days, use extra vigilance in updating computer software. Get all your patches done now, and make sure all anti-virus software is updated with the latest signatures. If your institution has a security alert capability for your customers, give them a "heads up" on this worm. Microsoft is offering a free online safety scan http://onecare.live.com/site/en-us/default.htm that should detect any Conficker versions on a computer.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.