Last night, CBS’ 60 Minutes featured a malware segment titled “The Conficker Worm: What Happens Next?” You can watch a copy of the segment here.

During the show, particulars concerning many different types of malware were presented as if they were somehow all related to Conficker. For example, the broadcast merged together behaviors associated with the Koobface worm, behaviors associated with SQL injection and other website compromises, as well as behaviors associated with keyloggers - presented these collectively as if each were somehow related to Conficker.

In the event any of that has led to confusion or misunderstanding, here are a few clarifying points to consider.

1. The Conficker worm is an Internet/Network worm. It does not spread via compromised or ‘infected’ websites. It spreads by exploiting the RPC handling vulnerabilities described in MS08-067 (and patched in October 2008). In addition, Conficker (aka Downadup) also spreads via autorun and via weakly protected network shares. The autorun spread is particularly problematic given that many inaccurate assumptions about autorun spread still persist. For details and functional prevention, see our blog post titled Misconceptions About Autorun Worms.

2. The Conficker worm is not set to automatically detonate some time bomb on April 1^st. There are multiple variants of Conficker. Each copy of the worm attempts to contact command and control for further instructions. This checking occurs on a regular basis. Some of the less common variants happen to have a check date of April 1^st which in the U.S. happens to correlate with April Fools’ Day, which in turn led to some misunderstanding or unfortunate assumptions being presented during the 60 Minutes broadcast.

3. Conficker does not spread via Facebook or any other social networking or social engineering method. As noted above, Conficker is an Internet/Network worm, not Web-delivered malware. The Facebook example provided during the 60 Minutes broadcast actually pertained to the Koobface social networking worm.

4. Conficker was originally associated with rogue affiliate advertising programs. Current variants of Conficker do not install keylogging components (although certainly theoretically this is behavior that could be instructed at some point in the future). In any event, while keyloggers are a tremendous problem resulting from Web-delivered malware, it is not currently behavior associated with the Conficker worm (as the title of the 60 Minutes presentation might lead one to believe).

5. One statement that was true – “You can be infected by simply visiting your favorite Web site”. But not by Conficker. Web site compromises are used to spread the really nasty stuff – data theft trojans engaged in everything from credit card and identity theft through to corporate or political espionage and information tampering.

6. Unfortunately, the tail end of the above statement was “…or just by leaving your computer on, overnight while you sleep.” That’s a bit misleading. If your computer is vulnerable while you’re sleeping, it’s equally vulnerable while you are awake. You're biggest risk isn't from powering on your PC - it's from visiting known good reputable websites that have been compromised.

As for Conficker, if you want to prevent that worm just install the MS08-067 patch and disable autorun the proper way. But really, while Conficker may be a very noticeable in-your-face headache, the malware we should be most concerned about are the surreptitious and hugely increased numbers of data theft trojans being delivered via compromised sites.