News

10:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Conficker Group Offers Roadmap For Stopping Worm

Security researchers detail the high level of international coordination required to hinder the worm's spread.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

How do you nuke a worm? That was the question posed by the Conficker Working Group, which from late 2008 until mid-2009 explored a variety of techniques for stopping the Conficker worm, which by some estimates infected 15 million computers at its peak.

On Monday, the Rendon Group released a report, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm.

The group's legacy includes processes for coordinating with the Internet Corporation for Assigned Names and Numbers (ICANN) and country code top-level domains (ccTLDs), the report said. "Without these organizations, the group would have been able to do little to scale the registration of international domains to block Conficker C from using domains to update."

That level of coordination was created by security researchers needing a more long-term approach to containing the worm, as well as preventing similar such outbreaks in the future. Initially, for example, "several researchers were paying for and registering the vulnerable domains by hand, one by one," said the report. That was made possible by reverse-engineering Conficker's domain creation algorithm, including the dates that the malware would begin attempting to contact specific domains. Other researchers, meanwhile, accessed botnet data and created "sinkholes" for studying the malware's spread and scope.

While some security industry watchers predicted that Conficker would cause massive damage, in fact the botnet never appeared to do anything more than serve scareware. Why is that? "It is likely that the Conficker Working Group effort to counter the spread did make it more difficult for the author to act with impunity, but the author did not seem to have tried his or her hardest," said the report. "It is possible the level of attention given to the malware scared off the author. It is also possible the author is waiting for a later date or is waiting for someone to pay for the use of the botnet."

While the Conficker Working Group doesn't plan to tackle any new worms, its members "continue to block tens of thousands of domains per day," said the report.

Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed