- 31.03.2009: Conficker Working Group
- 02.03.2009: Waledac Coupon Campaign & Updated Domain List
- 21.02.2009: More on the Adobe Acrobat 0-Day
- 19.02.2009: When PDFs Attack - Acrobat [Reader] 0-Day On the Loose
- 16.02.2009: Shadowserver - ASN & Netblock Alerting & Reporting Service
- 12.02.2009: See below.
- 02.02.2009: Reports and Data
- 29.01.2009: Asprox Goes Phishing Again
- 24.01.2009: More Waledac Domains to Block
- 22.01.2009: Asprox - It's Baaaaaaack
- 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
- 09.01.2009: Waledac Domains - Updated List
Thursday, 12 February 2009
Joint Effort at Conficker Disruption
Today Microsoft announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort which is truly the first of its type. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself.
Botnets almost always are run off of domain names that have been created by the botnet operator for the sole purpose of providing the drones a place to call home. In one instance, if a C&C server is identified in a particular network space, it can be shut down, however the DNS records for the domain can simply be pointed to another server and the botnet remains active. In another case, the C&C might be running on a network that is complicit to the malicious activity, and can't be shut down. As you can see, a key way to attack the botnet problem is at the domain registration level.
Shadowserver and other researchers regularly see domains used solely for malicious purposes. Taking the domains down would cut the legs right out from the net, so the drones have no place to call home. Traditionally we've seen malware that have the domain names evident within the code of the specimen. It's relatively easy to identify and enumerate those domains that are or will be used by a botnet. A newer technique that is gaining momentum is for the malware to generate the domain names that will be used on a week-to-week, month-to-month basis. By determining the algorithm, one can identify and create a list of the domain names that will be used.
If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month.
You can see why this joint effort announced today is so critical. This sort of thing needs to be done in scale. Having ICANN and the organizations that are responsible for the top level domains involved can make a significant dent in the problem as far as the use and misuse of domain names. Couple this with Microsoft's effort to not only spearhead and support this project, but also to directly utilize the drone data for remediation.
We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet.
If you wish to learn more about Conficker direct from Microsoft, the following links are a good resource:
Microsoft Press Release:
Microsoft Conficker Page
[UPDATE - 02/12/09 - 18:27]
There have been several articles regarding this joint effort. We're pleased to see this attract widespread attention. I've pasted a few links below for reference:
=>Posted February 12, 2009, at 09:01 AM by Andre' - Semper_Securus