A militia of DNS providers, ISPs, global registrars and security firms are working together to defend against the potential for widespread damage caused by the Microsoft Conficker/Downadup worm.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The coalition of more than a dozen organizations is monitoring the worm's update algorithm to check a list of 250 domains it will use to receive orders. The group is predicting domains and working with registrars to obtain the domains effectively cutting off communication between the worm and its potential payload. In addition, Microsoft is offering a $250,000 reward for information that will result in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.
The coalition includes DNS providers Neustar Inc. and Internet Systems Consortium Inc. (ISC). Other organizations include Microsoft, ICANN, VeriSign Inc., the China Internet Network Information Center (CNNIC), Afilias Inc., Public Internet Registry, Global Domains International Inc., M1D Global, America Online Inc., Symantec Corp., F-Secure Corp., ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks Inc. and Support Intelligence LLC.
Microsoft Conficker worm hits peak, but payload awaits: Security researchers are fascinated by the spreading Conficker/Downadup worm, but are unsure what kind of damage it will do to corporate networks.
Microsoft RPC worm spreads in corporate networks: A worm, exploiting the Microsoft RPC vulnerability, is wreaking havoc on some corporate networks, according to researchers at security vendor, F-Secure.
Past worms used a relatively small number of command and control servers, making it easier to go to an ISP and hosting domain to cut off command and control, said Vincent.Weafer, vice president of Symantec security response. All the attention being paid to Conficker/Downadup, make it increasingly unlikely that a payload will be delivered, Weafer said.
"What the attacker was relying on was the fact that no one would be willing and capable to go out and stop every single on of these domains," Weafer said. "For a single entity that is a daunting task."
Paul Vixie, president of the Internet Systems Consortium and creator of the popular internet domain name server BIND, called the consortium unprecedented. He said the level of cooperation is greater than when industry experts and security pros worked together last summer to address Dan Kaminsky's DNS flaw.
"I think that if the next worm author to try this decides to use 25 million domains per day instead of 250, that we'll need a different bag of tricks than we're using this time," Vixie said. "But it's great to see all these competitors working together shoulder to jowl on measuring and containing this threat. That is a trick we'll definitely keep in our bag for next time."
The latest estimates put the Conficker/Downadup worm's infection rate at about 10 million machines since it began spreading in November. Symantec has a much more conservative estimate of about 2.5 million infected machines. The worm took advantage of organizations slow to patch a Microsoft remote procedure call (RPC) flaw, which was patched Oct. 28 in an emergency, out-of-band patch release. The botnet continues to grow, albeit slowly. It is spreading via USB sticks and other storage devices. Even if corporate systems and endpoint machines are fully patched, the worm can still infect a machine on the network and spread using mapped drives.
The group's biggest fear is the possibility of a massive distributed denial-of-service attack if the worm's author decides to send out orders to use the botnet hoard of infected computers to shut down Internet access to companies or certain networks.
Jose Nazario, senior security engineer for Arbor Networks, called the coalition and the effort to be more proactive across industries, a good day for the Internet.
"Organizatons are coordinating across folks like ICANN and various registrars to prevent the worm author from using one of the domain names they generate every day to issue updates to the zombies," Nazario said in an email exchange. "This goal required broad support and coordination to work. Without it, without ICANN's blessing and microsoft's large table, this would have been much more challenging."
Andre' M. DiMino, co-founder and director at The Shadowserver Foundation, also called the coalition a significant step in dealing with the botnet problem.
"Shadowserver has witnessed a dramatic evolution of botnet architectures and their widespread use in cybercrime," DiMino said in a statement. "Unfortunately, the traditional methods of mitigation and remediation have thus far been fractured and somewhat ineffective."