How do you nuke a worm? That was the question posed by the Conficker Working Group, which from late 2008 until mid-2009 explored a variety of techniques for stopping the Conficker worm, which by some estimates infected 15 million computers at its peak.
On Monday, the Rendon Group released a report, funded by the Department of Homeland Security, rounding up the 15-person-strong working group's "lessons learned." The report highlighted the group's biggest achievement: "preventing the author of Conficker from gaining control of the botnet." Doing so, however, required coordinating with organizations in more than 100 countries to block the more than 50,000 domains per day generated by the Conficker C worm.
The group's legacy includes processes for coordinating with the Internet Corporation for Assigned Names and Numbers (ICANN) and country code top-level domains (ccTLDs), the report said. "Without these organizations, the group would have been able to do little to scale the registration of international domains to block Conficker C from using domains to update."
That level of coordination was created by security researchers needing a more long-term approach to containing the worm, as well as preventing similar such outbreaks in the future. Initially, for example, "several researchers were paying for and registering the vulnerable domains by hand, one by one," said the report. That was made possible by reverse-engineering Conficker's domain creation algorithm, including the dates that the malware would begin attempting to contact specific domains. Other researchers, meanwhile, accessed botnet data and created "sinkholes" for studying the malware's spread and scope.
While some security industry watchers predicted that Conficker would cause massive damage, in fact the botnet never appeared to do anything more than serve scareware. Why is that? "It is likely that the Conficker Working Group effort to counter the spread did make it more difficult for the author to act with impunity, but the author did not seem to have tried his or her hardest," said the report. "It is possible the level of attention given to the malware scared off the author. It is also possible the author is waiting for a later date or is waiting for someone to pay for the use of the botnet."
While the Conficker Working Group doesn't plan to tackle any new worms, its members "continue to block tens of thousands of domains per day," said the report.