Combating Conficker: What Worked, What Didn't

The efforts of the consortium of security industry vendors and organizations that banded together to derail the Conficker worm serves as a test case for how the security community could join forces in the face of a major threat. But while the Conficker Working Group (CWG) was able to prevent the worm from becoming a massive botnet that threatened critical infrastructure, millions of infected machines are still out there, a new report says.

The Rendon Group-authored report, which was commissioned by the Department of Homeland Security, says members of the CWG say the group failed to fix infected machines in order to kill off the botnet altogether -- today, as millions of machines remain infected with Conficker A/B variants. "Members of the group recommended a greater focus on remediation from the start and more coordinated communication with ISPs," the report says. "However, some indicated that total remediation may not have been a realistic goal."

The working group considers its biggest accomplishment that it stopped Conficker's creator from controlling the botnet, and that work is still in progress, as members continue blocking domains so that Conficker doesn't re-emerge.

According to the report, members of the CWG say one of the main reasons they were able to successfully wrest control of the botnet was they had the help and cooperation of ICANN and top-level domain providers. "Without these organizations, the group would have been able to do little to scale the registration of international domains to block Conficker C from using domains to update," the report says. "Processes are now in place that may make future coordination efforts easier, and many countries are reviewing domestic regulations, which would hopefully streamline their internal processes for dealing with such threats."

Conficker, which was poised to build a massive global botnet, emerged in fall 2008 as Conficker A and right away began infecting computers that hadn't yet installed a new Windows patch. Conficker B came out soon after, with the ability to spread via USB devices, for instance. Microsoft, ICANN, domain registry operators, antivirus companies, and university and other researchers all began blocking infected machines from communicating with the domains. The group eventually officially christened itself as the Conficker Working Group, which basically registered and blocked domains before Conficker's author could do so and update the bots. "Despite a few errors, that effort was very successful," the report says.

The release of another variant of the worm, Conficker C, was more problematic. The variant came out in February 2009 and was able to update nearly 1 million computers from the older versions to C. "The new features present in the C variant showed that the author was adapting to the Working Group's methods and trying to break them," according to the report. "Starting on April 1, 2009, the C version of the code would generate 50,000 pseudorandom domains per day from more than 116 domains all over the world."

The CWG was able to block 250 domains per day with Conficker A/B, but Conficker C was more difficult to control. "They faced the challenge of organizing in less than three weeks to coordinate with over 100 countries and block over 50,000 domains per day. Even with the large task in front of them, the group managed an impressive amount of success in blocking the domains generated by Conficker C," the report says.

Conficker served as a wake-up call for the need for this type of response and cooperation. According to one CWG member interviewed for the report, "In some ways, we're thankful for Conficker ... It helped us get things done we couldn’t before."

The full report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.