DHS Studying Global Response to Conficker Botnet

One year after the Conficker botnet was front-page news around the world, the U.S. Department of Homeland Security is preparing a report looking at the worldwide effort to keep it in check.

The report, to be published within the month, shows how an ad hoc group of security researchers and Internet infrastructure providers banded together into an organization they called the Conficker Working Group. Its goal was to address what was at the time the world’s most serious cyberthreat.

“We said, ‘This was a very good example of the private sector, globally, working together to try to solve a cybersecurity attack, so let’s fund the creation of a lessons-learned report to just document what worked, what didn’t work,'” said Douglas Maughan, a program manager with the Department of Homeland Security’s Science & Technology Directorate.

The report could provide a template for future cyber-responses, security experts say.

Conficker began spreading in November 2008, infecting computers via a variety of means, including an attack exploiting a known flaw in Microsoft Windows.

Though it is still thought to control between 4 million and 7 million computers, Conficker was only briefly put to use, in April 2009. It’s as if the massive amount of scrutiny it generated eventually frightened away its creators — a good thing, since it controls enough computers to create a withering distributed denial-of-service attack.

Security researchers analyzing the malware soon realized that the botnet used an algorithm to calculate the Internet domain where it should look for instructions each day. Working with the Internet Corporation for Assigned Names and Numbers (ICANN) and domain name registrars, they began blocking these domains in advance, preventing Conficker’s creators from connecting to the hacked computers.

With each iteration, however, Conficker’s creators stepped up their game, developing cryptographic protections and a peer-to-peer communications structure, and making it harder and harder to keep the botnet out of the hands of the criminals. Still, the relationships developed during the experience, and the working-group model itself, set the standard for how the Internet community would deal with subsequent incidents.

“Conficker really was a seminal event for the security community,” said Rodney Joffe, senior technologist with Internet infrastructure service provider Neustar and a member of the working group.

When he got a call Dec. 7 from Chris Davis, CEO of Ottawa-based security consultancy Defense Intelligence, Joffe suggested they use the same type of model to take down a new botnet, known as Mariposa. “Six weeks later there were actual arrests,” Joffe said. “From our point of view, it’s one of the best validations of the model.”

Like other participants, Joffe considers the Conficker Working Group a success, but a qualified one. After all, though Conficker’s been quiet, the botnet is still around. “In terms of learning, it’s been a great success,” he said. “In terms of defeating Conficker, it’s gotten us nowhere.”

The Working Group set the standard for the kind of organizational structure required to ensure international cooperation, group members say. “It wasn’t hierarchical; there was nobody really in charge,” Maughan said. “It was everybody really working together for the common good.”

“Anybody that was involved in global Internet infrastructure was involved,” he added. “They got the players to the table and figured out working relationships.”

The group divided itself up, with DNS, sinkhole, and malware analysis subgroups. For a while there was even public discussion of the group’s tactics, but that was stopped when it became clear that the criminals were listening in.

Although the Working Group is no longer as active as it was in the early days, it still meets for weekly conference calls, Joffe said. “There is still an ongoing effort to identify the people behind [Conficker] and to try to find a mechanism to try to help remediate it.”

The Conficker Working Group model should be developed further, said Rick Wesson, CEO of Support Intelligence and another member of the group. “We as a nation would be stronger if we had a formalized, private-sector group that did things like the Conficker Working Group did.”