Don't get Patrik Runald wrong: the Downadup worm (also called Conficker) has been a big deal.
It's just that F-Secure's chief security advisor doesn't want people overlooking the other 29,999 malware files his company sees a day, or ignoring the prospects of smart phone malware or even threats that exploit the TinyURLs made so popular through social network sites such as Twitter.
"Holes in some of these things would be trivial for the bad guys to exploit once they have the financial incentive to do it," says Runald, who works out of F-Secure's San Jose operation.
But first, back to Downadup. Runald claims F-Secure was the first one to really recognize how big a deal this worm was going to be and got the honor of naming it, though others wound up giving it separate monikers, including Kaspersky Lab, which dubbed it Kido. In recent weeks, conflicting reports have surfaced about how big an impact Downadup had on enterprise networks, but Runald emphasizes it made a mess of things. His company talked with IT staffs at hospitals that had "fairly critical infrastructure" affected by the worm. One company had 3,000 accounts shut out by the worm, which locked files so that only the system account could get at them.
Downadup does seem to have leveled off in terms of affected IP addresses per day, currently in the 3 million ballpark whereas it had peaked at somewhere in the 10 million to 15 million range, Runald says. He doesn't expect the perpetrators to distribute a feared payload either now that all eyes are on the worm.
"I think the person or people behind it got kind of scared that it got as big as it did," he says. "Distributing the payload now would put too much heat on them."
Still, Runald says it's puzzling that the Downadup creator or creators didn't strike when they could, with access to information on millions of enterprise machines. He says the worm has worked amazingly well considering how multifeatured/complex it is. "Typically we see more bugs in code this complicated," he says.
Despite the formation of an industry coalition that F-Secure is part of to quash Downadup, and Microsoft's much publicized US$250,000 bounty on the head or heads of the worm's creators, Runald doesn't expect the villain or villains will be nabbed. While the bounty can't hurt, he says the reality is that anyone who could provide information about those behind Downadup probably is deep into cybercrime themselves and wouldn't want the heat from law enforcement. "$250,000 is not a lot compared to what some of these groups are making," he says.
Downadup/Conficker has received more mainstream media attention than any such worm since Sasser back in 2004, Runald says. One silver lining is that the coverage could be a wake-up call to consumers (he says enterprises are already pretty well aware of continuing threats). "A lot of consumers think the situation has been getting better, whereas in fact we've found 14 million malware samples over the last 12 months, so it's actually getting far worse."
Mobile malware threat
The next frontier for malware writers could be smart phones, though Runald says there aren't many signs of growth yet. F-Secure has been anticipating trouble on the mobile front for years, having delivered its first product in this particular market back in 2001, three years before the first mobile malware was found (with headquarters in Finland about a mile from those of handheld market leader Nokia, this comes as little surprise). To date, about 420 mobile threats have surfaced, Runald says.
He credits efforts made by Symbian to shore up its mobile operating system with dissuading malware writers given that the OS is so prevalent on Nokia phones. It was only last month that the first Symbian S60 3rd edition malware was spotted.
More so than worms or viruses, the big threat on mobile devices today is spyware, Runald says. He sites a program called Flex-iSpy out of Bangkok that purports to be a backup tool as being a particular troublemaker, though notes it does require physical access to the device to load it. F-Secure plans to show how a spyware program looks like on an iPhone at the CTIA Wireless conference in Las Vegas in April.