March 05, 2009, 3:44 PM — Don't get Patrik Runald wrong: the Downadup worm (also called Conficker) has been a big deal.
It's just that F-Secure's chief security advisor doesn't want people overlooking the other 29,999 malware files his company sees a day, or ignoring the prospects of smart phone malware or even threats that exploit the TinyURLs made so popular through social network sites such as Twitter.
"Holes in some of these things would be trivial for the bad guys to exploit once they have the financial incentive to do it," says Runald, who works out of F-Secure's San Jose operation.
But first, back to Downadup. Runald claims F-Secure was the first one to really recognize how big a deal this worm was going to be and got the honor of naming it, though others wound up giving it separate monikers, including Kaspersky Lab, which dubbed it Kido. In recent weeks, conflicting reports have surfaced about how big an impact Downadup had on enterprise networks, but Runald emphasizes it made a mess of things. His company talked with IT staffs at hospitals that had "fairly critical infrastructure" affected by the worm. One company had 3,000 accounts shut out by the worm, which locked files so that only the system account could get at them.
Downadup does seem to have leveled off in terms of affected IP addresses per day, currently in the 3 million ballpark whereas it had peaked at somewhere in the 10 million to 15 million range, Runald says. He doesn't expect the perpetrators to distribute a feared payload either now that all eyes are on the worm.
"I think the person or people behind it got kind of scared that it got as big as it did," he says. "Distributing the payload now would put too much heat on them."
Still, Runald says it's puzzling that the Downadup creator or creators didn't strike when they could, with access to information on millions of enterprise machines. He says the worm has worked amazingly well considering how multifeatured/complex it is. "Typically we see more bugs in code this complicated," he says.
Despite the formation of an industry coalition that F-Secure is part of to quash Downadup, and Microsoft's much publicized US$250,000 bounty on the head or heads of the worm's creators, Runald doesn't expect the villain or villains will be nabbed. While the bounty can't hurt, he says the reality is that anyone who could provide information about those behind Downadup probably is deep into cybercrime themselves and wouldn't want the heat from law enforcement. "$250,000 is not a lot compared to what some of these groups are making," he says.
Downadup/Conficker has received more mainstream media attention than any such worm since Sasser back in 2004, Runald says. One silver lining is that the coverage could be a wake-up call to consumers (he says enterprises are already pretty well aware of continuing threats). "A lot of consumers think the situation has been getting better, whereas in fact we've found 14 million malware samples over the last 12 months, so it's actually getting far worse."
Mobile malware threat
The next frontier for malware writers could be smart phones, though Runald says there aren't many signs of growth yet. F-Secure has been anticipating trouble on the mobile front for years, having delivered its first product in this particular market back in 2001, three years before the first mobile malware was found (with headquarters in Finland about a mile from those of handheld market leader Nokia, this comes as little surprise). To date, about 420 mobile threats have surfaced, Runald says.
He credits efforts made by Symbian to shore up its mobile operating system with dissuading malware writers given that the OS is so prevalent on Nokia phones. It was only last month that the first Symbian S60 3rd edition malware was spotted.
More so than worms or viruses, the big threat on mobile devices today is spyware, Runald says. He sites a program called Flex-iSpy out of Bangkok that purports to be a backup tool as being a particular troublemaker, though notes it does require physical access to the device to load it. F-Secure plans to show how a spyware program looks like on an iPhone at the CTIA Wireless conference in Las Vegas in April.
What spooks Runald going forward is that unlike more mature mobile OSes from Microsoft and Symbian that were built from the ground up for use in phones, those from the likes of Apple and Google are derived from more general OSes. The Linux kernel, at the heart of Google Android, has its share of vulnerabilities and comes packed with features that aren’t necessarily needed in a mobile device, such as telnet access (not to say Linux isn’t maturing as well, he adds).
"In a way, we've already seen more serious vulnerabilities in the iPhone in a year and a half than we've seen in the whole life of Symbian and Windows mobile OSes," Runald says. "It shows the difficulty of squeezing these operating systems into small phones and making sure you only have the necessary parts that are required for the phone to work."
Runald has similar concerns about new mobile browsers. But given that smart phone-based Web browsing -- and in particular mobile electronic commerce -- is in its early stages still, malware writers haven't had much incentive to strike.
Runald says he is encouraged that enterprise IT staffs are getting out in front of mobile phone threats. "It's not going to be like it was for laptops," he says. "Up until Blaster and Sasser, how many people used laptops without a firewall? Pretty much everyone."
Social network security dangers
One other security hot button for Runald is social network malware threats, and he cautions in particular about the potential for malware writers to exploit shortened URLs such as the TinyURLs commonly used to squeeze down Twitter messages to 140 characters.
The problem is that many users can eyeball a regular URL these days and have a sense of whether it might be bogus. Not so with TinyURLs, which appear as more random collections of letters and digits and could be used to hide links to spam or malware even though TinyURL expressly prohibits this.
"It would be trivial for the bad guys to use these," he says. "We've only found one example of malware so far, back in October and mainly targeted at Brazil, though it was still active earlier this week. We got a hold of TinyURL and they closed it down."