Cyber Security Community Joins Forces to Defeat Conficker Worm

By Brian Krebs Staff Wrtier
Friday, February 13, 2009; 3:01 PM

The quarter-million dollar award Microsoft is offering for information that leads to the arrest and conviction of those responsibile for unleashing the "Conficker" worm may represent the culmination of what security experts say has been an unprecedented and collaborative response from industry, academia and Internet policy groups aimed at not just containing the spread of this worm, but also in creating a playbook for dealing with future digital pandemics.

Estimates of how many systems infected by Conficker, a contagion that has exploited Microsoft Windows PCs over the past few months, vary widely, from 2 million to more than 10 million machines. Microsoft estimates that at least 3 million PCs worldwide remain infected. Yet, PCs sickened by Conficker have not yet been observed in facilitaing the kind of illegal online activities typically spewed by computers infected with malicious software, such as sending spam or hosting scam Web sites.

Rather, security experts say the worm may be the first stage of a larger attack. By using a mathematical algorithm, Conficker can tell infected systems to regularly contact a list of 250 different domain names each day. If just one of those domains is registered by the virus writer, it could be used to download an as-yet unknown secondary component to all infected systems maliciously, such as malicious software.

"This worm would be a marvelous tool in hands of whoever can control it, but the real harm from it has yet to be felt, and we're trying to postpone that day," said Paul Vixie, founder of Internet Systems Consortium, a Redwood City, Calif., company whose open-source software powers millions of Internet servers around the globe.

For several weeks after Conficker first surfaced in November, the anti-virus community began studying and publishing their research online. Individual security researchers were then able to begin registering the 250 domains sought daily by Conficker-infected systems to ensure those machines would not receive its intended instructions. At least one researcher told that he registered a number of the domains in the names of the FBI and Microsoft.

But, the FBI already was investigating individuals who were found to have recently registered domains sought by Conficker-infected systems, according to Bill Woodcock, research director of Packet Clearing House, a San Francisco based non-profit organization that provides support and training to companies that manage critical Internet infrastructure.

"There have been law enforcement folks trying to figure out who the holders of these domains are," Woodcock said.

Officials for the FBI did not return calls seeking comment.

Phillip Porras, director of the computer security lab at SRI International, also began tracking Conficker domains in late November. Porras and his team learned they could determine sets of domains sought by Conficker host systems in the past or the future, merely by rolling back or forward the system date setting on Microsoft Windows systems that they had purposesly infected in their test lab.

As Porras's group began building lists of domains sought by Conficker that had already been registered, they found hundreds that traced back to security researchers and anti-virus companies that were hoping to glean intelligence about the number of systems infected with the worm.

"We found that lots of people had registered these domains to try and gather size estimates and to better understand the worm," Porras said. "Early on, various folks were sharing this data privately, but nothing was really that coordinated."

Yet, as December rolled around and the number of machines infected by the worm swelled into the millions, a consensus began to emerge within the security research community that they needed a broader coordination effort.

CONTINUED     1        >

© 2009 The Washington Post Company