With Global Effort, a New Type of Worm is Slowed
An international coalition revealed that they had taken unprecedented steps to keep the Conficker worm separate from the command-and-control servers that could control it.
February 13, 2009 — CSO — There have been big computer worm outbreaks before, but nothing quite like Conficker.
First spotted in November, the worm had soon infected more computers than any worm in recent years. By some estimates it is now installed on more than 10 million PCs. But ever since its first appearance, it has been strangely quiet. Conficker infects PCs and spreads around networks, but it doesn't do anything else. It could be used to launch a massive cyberattack, crippling virtually any server on the Internet, or it could be leased out to spammers in order to pump out billions upon billions of spam messages. Instead, it sits there, a massive engine of destruction waiting for someone to turn the key.
Until recently, many security researchers simply didn't know what the Conficker network was waiting for. On Thursday, however, an international coalition revealed that they had taken unprecedented steps to keep the worm separate from the command-and-control servers that could control it. The group is comprised of security researchers, technology companies, domain name registrars who have joined forces with the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet's Domain Name System.
Researchers had taken apart Conficker's code and discovered that it uses a tricky new technique to phone home for new instructions. Each day, the worm generates a fresh list of about 250 random domain names such as aklkanpbq.info. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author.
When Conficker's code was first cracked, security experts snatched up some of these randomly generated domains, creating what are known as sinkhole servers to receive data from hacked machines and observe how the worm worked. But as the infection became more widespread, they began registering all of the domains -- close to 2,000 per week -- taking them out of circulation before criminals had a chance to tell their infected computers what to do. If ever the bad guys tried to register one of these command-and-control domains, they would have found that they'd already been taken, by a fictional group calling itself the "Conficker Cabal." Its address? 1 Microsoft Way, Redmond Washington.
This is a new kind of cat-and-mouse game for researchers, but it has been tested a few times over the past few months. In November, for example, another group used the technique to take control of domains used by one of the world's largest botnet networks, known as Srizbi, cutting it off from its command-and-control servers.