Are We Getting Con-Ficked?

Conficker, the super virus that was going to bring down the Interweb, seems to have flopped -- unless, in true horror film tradition, it isn't really dead.Conficker was supposed to cause 50,000 PCs around the world to rise up against their human masters on April 1, and since that failed to happen, has been called a hoax and "much ado about nothing."

But neither could be further from the truth. The likes of Ron Rivest and SRI International, which specializes in cybersecurity research, don't work feverishly through the night to find a fix for a figment of someone's imagination.

But Conficker also begs the question of whether an entire anti-virus industry isn't profiting from periodic scares of this kind. It sure isn't making money by actually solving the problem, and it's not for lack of resources or brains. Conficker is a clever bug for sure, but it wasn't created by evil super-geniuses from another planet.

In fact, while the bug has some innovative features, it relies on a well-known vulnerability, the buffer overflow, to infect computers.

I spoke to one security vendor, Comodo, whose CEO claims that none of his customers have been infected. Melih Abdulhayoglu claims anti-virus makers can't say the same because their protections allow all programs to execute their code by default; they're only stopped if they're on a blacklist.

Comodo blocks all programs by default, and forces users to allow them to execute. Comodo also uses heuristics -- essentially, behavioral analysis -- to detect when a program is behaving abnormally, and blocks it on the spot. Buffer overload would fall into that category.

The reason anti-virus vendors like McAfee, Symantec and Trend Micro can't stop it is because they rely on reactive techniques: they identify a bug, create a signature, and then send the signature to their customers so they can prevent the bug from coming in.

It's a bit like faxing over a picture of Keyser Soze to the police station once he's left the building, or a photograph to border security after the terrorist has already gone through customs. It's too late.

Why don't anti-virus vendors adopt the same default-deny technique as Comodo? Abdulhayoglu refused to speculate about his competitors, but I will.

One thing I think is that vendors know that users simply won't tolerate any kind of friction. If I have to wait fifteen seconds for a program to load because of a security check then, doggone it, I'm going to turn it off.

The other reason? As I said earlier, having some super bug out there doesn't hurt sales. That might sound a little like blaming the pharmaceutical industry for an outbreak of Ebola, but at least the health care system does manage to show progress from time to time.

Which brings me to another thing: whoever named it Conficker is a marketing genius. I haven't heard a name that menacing since Lex Luthor.