• United States



by Senior Editor

Conficker Working Group says worm is stopped, but not gone

Jan 28, 20115 mins
CybercrimeData and Information SecurityNetwork Security

An alliance of public and private organizations claims success in preventing further spread of the Conficker worm, but warn the nasty virus is still on millions of computers

A team of non-profit, public sector and private business parties known as the Conficker Working Group says it is proud of its success at stopping the infamous Conficker worm from spreading as far as many feared it would, but also note the virus is still on many computers worldwide.

The task force, which included team members from non-profit groups such as Shadow Server and the Internet Corporation for Assigned Names and Numbers (ICANN), as well as vendors such as Facebook, Microsoft, Cisco, IBM, AOL and VeriSign, assembled in 2008 in response to the worm. Their goal was to block already infected computers from reaching the domains targeted by the worm’s author to attempt to update the worm with new code or new instructions. The CWG sought to register and otherwise block domains before the Conficker author, preventing the author from updating the botnet.

“Despite a few errors, that effort was very successful,” CWG officials said in a summary released this week, which was commissioned by the Department of Homeland Security.

The report details how a third variant of the worm, Conficker C, was released in February 2009 and managed to update nearly a million computers from Conficker A/B to Conficker C, despite the CWG’s efforts. The new features presented in the C variant showed that the author was adapting to the Working Group’s methods and trying to break them. Starting on April 1, 2009, the C version of the code would generate 50,000 pseudorandom domains per day from over 116 domains all over the world.

More about botnets

In fighting Conficker A/B, the security community proved they could coordinate to block 250 domains per day, already an unprecedented effort, claims the report. With Conficker C, they faced the challenge of organizing in less than three weeks to coordinate with over 100 countries and block over 50,000 domains per day. Even with the large task in front of them, the group managed an impressive amount of success in blocking the domains generated by Conficker C.

In coordinating to stop the botnet threat, the CWG became a model for cyber defense, the report states.

“The Conficker Working Group sees its biggest success as preventing the author of Conficker from gaining control of the botnet. Nearly every person interviewed for this report said this aspect of the effort has been successful.”

The blocking of domains continues and the Working Group plans to continue these efforts, the report said.

“Chief among the reasons for CWGs success in this area was their ability to obtain cooperation from ICANN and the ccTLDs. Without these organizations, the group would have been able to do little to scale the registration of international domains to block Conficker C from using domains to update,” the summary states. “Processes are now in place that may make future coordination efforts easier, and many countries are reviewing domestic regulations, which would hopefully streamline their internal processes for dealing with such threats.”

The report says the Working Group sees its biggest failure as the inability to remediate infected computers and eliminate the threat of the botnet. While remediation efforts did take place, millions of the A/B variations of Conficker remain on infected computers — an estimated four to 15 million machines globally.

Last year, CSO interviewed Steve Santorelli, who at the time worked with the non-profit security investigations firm Team Cymru. Santorelli noted peer-to-peer botnets, like Conficker, have brought the cybersecurity competition between the good and bad guys to a new level. “They are deeply disturbing. The only way you can really take down a peer-to-peer-based botnet is to kick down the door and arrest the guy who is behind it,” he explained. “Essentially the miscreants have examined the way the community conducts investigations and have evolved to circumvent countermeasures that we have put in place.”

Santorelli said Conficker is one of the most troubling moments in IT security history in recent years, noting one of the more troubling aspects of Conficker was the unknown reason it was created.

“It is one of the more disturbing peer-2-peer botnets because it is very big, and it became a media sensation,” said Santorelli. “But more disturbing than anything else about it is we haven’t actually seen what it is going to be used for yet. Conficker has infected, by some estimates, millions of machines around the internet, but it isn’t actually doing anything yet. A lot of people are very concerned about what it’s for.”

In that report, the organization confirms that they were able to neutralize the worm by preventing it from being updated or communicating with its creator, whose identity has never been discovered. However, they add that Conficker remains dormant on between four to 15 million computers across the globe, according to various media reports published throughout the week.