With Global Effort, a New Type of Worm is Slowed

There have been big computer worm outbreaks before, but nothing quite like Conficker.

First spotted in November, the worm had soon infected more computers than any worm in recent years. By some estimates it is now installed on more than 10 million PCs. But ever since its first appearance, it has been strangely quiet. Conficker infects PCs and spreads around networks, but it doesn't do anything else. It could be used to launch a massive cyberattack, crippling virtually any server on the Internet, or it could be leased out to spammers in order to pump out billions upon billions of spam messages. Instead, it sits there, a massive engine of destruction waiting for someone to turn the key.

Until recently, many security researchers simply didn't know what the Conficker network was waiting for. On Thursday, however, an international coalition revealed that they had taken unprecedented steps to keep the worm separate from the command-and-control servers that could control it. The group is comprised of security researchers, technology companies, domain name registrars who have joined forces with the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet's Domain Name System.

Researchers had taken apart Conficker's code and discovered that it uses a tricky new technique to phone home for new instructions. Each day, the worm generates a fresh list of about 250 random domain names such as aklkanpbq.info. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author.

When Conficker's code was first cracked, security experts snatched up some of these randomly generated domains, creating what are known as sinkhole servers to receive data from hacked machines and observe how the worm worked. But as the infection became more widespread, they began registering all of the domains -- close to 2,000 per week -- taking them out of circulation before criminals had a chance to tell their infected computers what to do. If ever the bad guys tried to register one of these command-and-control domains, they would have found that they'd already been taken, by a fictional group calling itself the "Conficker Cabal." Its address? 1 Microsoft Way, Redmond Washington.

This is a new kind of cat-and-mouse game for researchers, but it has been tested a few times over the past few months. In November, for example, another group used the technique to take control of domains used by one of the world's largest botnet networks, known as Srizbi, cutting it off from its command-and-control servers.

With thousands of domains, however, this tactic can become time consuming and expensive. So with Conficker, the group has identified and locked up names using a new technique, called domain pre-registration and lock.

By dividing up the work of identifying and locking out Conficker's domains, the group has only kept the worm in check, not dealt it a fatal blow, said Andre DiMino, co-founder of The Shadowserver Foundation, a cybercrime watchdog group. "This is really the first key effort at this level that has the potential to make a substantial difference," he said. "We'd like to think we've had some effect in crippling it."

This is uncharted territory for ICANN, the group responsible for managing the Internet's address system. In the past, ICANN has been criticized for being slow to use its power to revoke accreditation from domain name registrars who have been widely used by criminals. But this time it's getting praise for relaxing rules that made it hard to lock down domains and for bringing together the group's participants.

"In this specific case they greased the wheels so that things would move quickly," said David Ulevitch, founder of OpenDNS. "I think they should be commended for that. ... It's one of the first times that ICANN has really done something positive."

The fact that such a diverse group of organizations are all working together is remarkable, said Rick Wesson, CEO of network security consultancy Support Intelligence. "That China and America cooperated to defeat a malicious activity on a global scale... that's serious. That's never happened," he said.

ICANN did not return calls seeking comment for this story and many of the participants in the Conficker effort, including Microsoft, Verisign and the China Internet Network Information Center (CNNIC) declined to be interviewed for this article.

Privately, some participants say that they do not want to draw attention to their individual efforts to combat what may well be an organized cybercrime group. Other say that because the effort is so new, it is still premature to discuss tactics.

Whatever the full story, the stakes are clearly high. Conficker has already been spotted on government and military networks and has been particularly virulent within corporate networks. One slip-up, and Conficker's creators could reprogram their network, giving the computers a new algorithm that would have to be cracked and giving them an opportunity to use these computers for nefarious purposes. "We have to be 100 percent accurate," Wesson said. "And the battle is a daily battle."

(Sumner Lemon in Singapore contributed to this report.)

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies