Page 2 of 2   <      

Cyber Security Community Joins Forces to Defeat Conficker Worm

That community had only weeks before learned the consequences of inaction in the face of another mounting threat. In late November 2008, the "Srizbi botnet," a massive collection of compromised Microsoft PCs that sent billions of spam e-mails each day, was knocked offline after Internet providers shuttered the Web servers that were being used to control and update the botnet's activities.

Researchers knew that Srizbi had a built-in fallback mechanism similar to the updating capabilities in Conficker, a failsafe device that could resurrect the botnet by forcing infected systems to seek out a randomly generated set of four domains that changed every 72 hours.

For several weeks, FireEye, a private security company in Milpitas, Calif., took it upon itself to register each of the domains that Srizbi-infected systems were told to seek out in order to allow criminals to regain control over the wayward systems. But as the costs of registering those domains mounted, the company ceased reserving them. On Nov. 25, a day after FireEye quit registering the Web site names, unknown individuals took over that task, and the Srizbi botnet was back online and blasting out spam.

Woodcock said many in the security community, including the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the domain registration industry, were eager to avoid a repeat of the Srizbi fiasco.

"Nobody wanted to go through a big exercise to deal with the Conficker worm and not have a process in place to make it easier the next time this happens with a different worm," Woodcock said.

Still, coordinating a Conficker counterpunch would require some bending of the rules that govern domain name registrations, along with unprecedented level of cooperation from foreign governments.

For example, "top level domains" most sought after by Conficker-infested systems -- dot-com, dot-org and dot-net -- have explict contracts with ICANN that prohibit them from unilaterally reserving Web site names, even the seemingly gibberish domains that were known to be sought out by Conficker.

Also, some of the domains sought by Conficker would need to be registered through registrars controlled by soverign nations that are not beholden to ICANN, such as dot-ws (Western Samoa), and dot-cn (China).

Rodney Joffe, senior vice president of Sterling, Va., based Neustar Inc., which has an exclusive contract with ICANN to manage dot-biz and dot-us domain registrations, said ICANN recently took the unprecedented step of allowing registrars to set aside any domains sought by Conficker systems now or in the future.

Joffe said ICANN was instrumental in waving those restrictions for domestic registrars, but also in convincing the Chinese and other international registrars to agree to shelve the Conficker domains.

"People blame ICANN when anything having to do with domain names being used for abuse comes up," Joffe said. "But this is one of those interesting instances where ICANN has been very progressive in the kinds of help they've given the registry operators. There seems to be growing, global understanding that these kinds of things don't reflect well on anyone in the industry and actually cause damage to everyone."

For its part, ICANN will continue to work with the registry community to refine its policies on how to deal with future domain name-based threats, said Greg Rattray, chief Internet security advisor at ICANN.

"We agreed with the registries that we need to look at how to do this in a coordinated, coherent fashion that enables the community to respond in accordance with the contractual policy guidelines while at the same time being operationally effective and timely," Rattray said. "We hope this can become the model for more collaborative response in the face of future threats."

Rick Wesson, chief executive of Support Intelligence, a security firm in San Francisco, called the international effort to contain the worm "incredible."

"Here we have the Chinese cooperating with the Americans on a cyber threat when so much of the rhetoric [from the U.S. government] is about concerns around the cyber threat from China," said Wesson, who was also one of the researchers who began registering Conficker domains back in November.

But it's too soon for the community to declare victory, Wesson said. The next domain-based worm could significantly ratchet up the number of domains, and thereby sideline a large number of Web site names that might otherwise be commercially viable and sought after by legitimate Internet users.

"I think we're going to have successes and we're going to have failures, and this one clearly isn't a success until Microsoft has paid a quarter of million dollars and the individuals behind this worm are in jail," Wesson said.

<       2

© 2009 The Washington Post Company