Group Takes Conficker Fight To New Level

With a new and trickier Conficker variant to deal with, a group of volunteers vows to go forward and fight the worm

Forming a global alliance to fight cybercrime isn't easy, and building an organization that can stay one step ahead of cyber crooks in more than 100 countries is close to impossible. But a band of volunteers calling itself Conficker Working Group thinks it can do it.

The group was formed earlier this year to try to contain the massive network of computers infected by the Conficker worm, which at its worst was thought to have infected 10 million computers.

The seriousness of the problem helped get the group off the ground, as technical experts from the world's top Internet companies informally banded together. At first they called themselves the Conficker Cabal, but they've now lightened the name, calling themselves the Conficker Working Group.

It's an improbably story, according to Paul Vixie, president of the Internet Systems Consortium, and one of the group's members. "It was formed as a bucket brigade because there was a house on fire," he said. "There was no way that you could get this level of talent to be focused on this if it was with a long term goal of, 'Gee, lets shape the Internet security landscape.'"

But now that it's working, members hope that it could be used to fight off other Internet threats in the future.

The group works in an informal, ad hoc way. There is a Web site and some mailing lists, and the occasional conference call. No contracts, no fees, no workshops, and no newsletters.

"There are a lot of companies that are putting a lot on the line to do it," said Rick Wesson, CEO of network security consultancy Support Intelligence. "It sucked up everybody's time, we're not being paid to do this, and it's fantastic. Everybody feels good about doing this."

The stakes are high. Now estimated at between 2 million and 4 million computers, Conficker would be the world's largest botnet -- by a lot. Generally botnets with a few hundred thousand computers are considered to be a major threat.

The Working Group's approach harkens back to the early days of the Internet, when a close-knit group of enthusiasts, kept the network up and running. "It was like an Amish barn building party," Vixie said. "Everybody would just haul over there and get it done."

In the 90s that cooperative spirit abated, as people with technical skills were snatched up by Internet companies, many of whom were locked in fierce competition with each other. But recently, that sense of "harsh competition" has abated, Vixie said. "Economic tides being what they are, people are focused on preserving what remains of the industry rather than muscling in on a larger market share."

Last year, Vixie got a taste of this new spirit of cooperation when found himself in a roomful of competitors, all working out a solution to a major bug in the Domain Name System (DNS). More impressively, none of the work leaked out until everyone had a chance to patch.

With the Conficker Working Group, the going has been tough at times. Originally set up to prevent two earlier variants of Conficker from updating their software, the group has had a setback with the latest Conficker.C code. "There is evidence that there was an update that kind of slipped out," said Andre DiMino, co-founder of The Shadowserver Foundation, a cybercrime group that is part of the Working Group.

While security experts believe there are sill a large number of Conficker.A and Conficker.B infections out there, nobody really knows how many of them were able to update. They'll have a better idea of that on Wednesday, however, when Conficker.C clients begin using a new, much more complicated algorithm to look for instructions from a command-and-control server.

Earlier version of the worm would each look on 250 different Web sites each day for instructions. By working with domain name registrars to lock the criminals out from these Internet domains, the Working Group was able to keep Conficker out of the grasp of its creators, for awhile at least.

But now with the new algorithm, that job will become much harder. Instead of hundreds of domains per day, they will have to lock out 50,000. And they will have to work with more than 100 domain registrars in many different countries as Conficker starts looking for updates many different nooks and crannies of the Internet.

Whether the Conficker Working Group will be able to keep up in this unprecedented game of cat and mouse remains to be seen. But Wesson and DiMino are optimistic.

Vixie isn't so sure though. "I go back and forth," he said. "It depends on whether or not I'm in the part of the day where Im drinking coffee or the part of the day where I'm drinking beer."

Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)