« November 2008 · May 2009 · July 2014 »

January 2009
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 
February 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
232425262728 
March 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     

Calendar:

Newest first Oldest first

Thursday, 12 February 2009

Joint Effort at Conficker Disruption

Today Microsoft announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort which is truly the first of its type. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself.

Botnets almost always are run off of domain names that have been created by the botnet operator for the sole purpose of providing the drones a place to call home. In one instance, if a C&C server is identified in a particular network space, it can be shut down, however the DNS records for the domain can simply be pointed to another server and the botnet remains active. In another case, the C&C might be running on a network that is complicit to the malicious activity, and can't be shut down. As you can see, a key way to attack the botnet problem is at the domain registration level.

Shadowserver and other researchers regularly see domains used solely for malicious purposes. Taking the domains down would cut the legs right out from the net, so the drones have no place to call home. Traditionally we've seen malware that have the domain names evident within the code of the specimen. It's relatively easy to identify and enumerate those domains that are or will be used by a botnet. A newer technique that is gaining momentum is for the malware to generate the domain names that will be used on a week-to-week, month-to-month basis. By determining the algorithm, one can identify and create a list of the domain names that will be used.

If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month.

You can see why this joint effort announced today is so critical. This sort of thing needs to be done in scale. Having ICANN and the organizations that are responsible for the top level domains involved can make a significant dent in the problem as far as the use and misuse of domain names. Couple this with Microsoft's effort to not only spearhead and support this project, but also to directly utilize the drone data for remediation.

We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet.

If you wish to learn more about Conficker direct from Microsoft, the following links are a good resource:

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx

http://technet.microsoft.com/en-us/security/dd452420.aspx

Microsoft Press Release:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/02-12-2009/0004971471&EDATE

Microsoft Conficker Page

http://www.microsoft.com/conficker

[UPDATE - 02/12/09 - 18:27]

There have been several articles regarding this joint effort. We're pleased to see this attract widespread attention. I've pasted a few links below for reference:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1347721,00.html

http://www.marketwatch.com/news/story/microsoft-collaborates-industry-disrupt-conficker/story.aspx?guid=%7BC9767056-1516-4ACC-A866-B0CABDA94056%7D&dist=msr_2

http://www.itnewsonline.com/showprnstory.php?storyid=34189

http://www.ddj.com/security/213901112

http://www.google.com/hostednews/afp/article/ALeqM5gFJjprPdN-xiAc9LirlojjlvN1hA

http://infosecurity.us/?p=6238

http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm

http://www.newsgab.com/forum/current-events/68632-microsoft-offers-250-000-bounty-worm-authors.html

http://www.secuobs.com/revue/news/61365.shtml

http://business.newsfactor.com/news/Microsoft-Targets-Worm-Authors/story.xhtml?story_id=030002X7QGNI

http://www.pcworld.com/article/159506/conficker_worm_draws_a_counterattack.html

=>Posted February 12, 2009, at 09:01 AM by Andre' - Semper_Securus