A new report from the Conficker Working Group concludes that coordinated efforts to stomp out the botnet were a mixed bag: helping to thwart the worm’s efforts to register Web domains that it used to spread, but failing to remove the worm from infected Windows computers.
The report released this month, analyzes the fruits of a two year-old effort by a consortium of security firms, ISPs and top level domain (TLD) operators to battle variants of the Conficker worm. The group became a model of how to respond to and slow the spread of fast-moving, modern malware. However, the Conficker Working Group said it largely failed to remediate infected computers and eliminate the threat of the botnet, as millions of Conficker infected PCs remain. A larger, more permanent private-public partnership may be needed to focus on a “long term battle,” rather than ad-hoc efforts to quash specific threats, the report concluded.
Conficker was a sophisticated piece of malware that first appeared in November, 2008 and went on to infect millions of Windows computers and create what is still one of the largest active botnets on the Internet. At its height of activity, the CWG comprised representatives of tope computer security firms – including Microsoft, top anti malware firms, academic researchers, domain registry operators as well as representatives from ICANN and ISPs.
Initially, the group attempted to block the spread of the worm by black listing the domains that it used to spread, and by anticipating and pre-registering the randomly generated domain names that the worm used. That approach was successful in depriving early Conficker variants of their main method of propagating. In particular, ICANN’s involvement in the CWG was a critical component to its success in snuffing out Conficker domains, said Jose Nazario, a network security researcher at Arbor Networks.
If nothing else, security firms learned that they can cooperate to fight a threat like Conficker without putting themselves at a competitive disadantage, Nazario said.
A C-variant of the worm, released in 2009, responded to the efforts of the CWG, generating 50,000 pseduo-random domains a day from 116 locations worldwide, making it harder for the CWG to block malicious domain registrations. The battle to counter Conficker and the worm author’s response to those efforts proved the limits of technical approaches to remediation, said Nazario.
“I think one lesson is that we can’t patch our way out of this,” he told Threatpost.
Nazario led the remediation effort for CWG and said he feels like that effort was not successful.
“This has given me great pause over the past couple years,” he said. “(CWG) highlights a big gap in this space: you can have all the technology in the world to throw at this thing not make a dent in terms of getting rid of infected machines,” he said.
Nazario said members entertained any and all ideas to eradicate the worm, including shipping millions of CDs to consumers that would bundle a removal program with songs, game demos or other attractive content. Ultimately, however, those ideas were rejected. That said, Nazario believes that the Internet community learned valuable lessons just by gearing up to battle Conficker – and that the coming years bring more progress on international and cross-industry efforts to stamp out subsequent outbreaks.
The recent example set by the Dutch cyber crime unit may be one model. After busting up the operation of the Bredolab botnet, the country’s High Tech Crime Team redirected computers infected by Bredolab to a Web page that offered instructions on removing the malicious program.
Nazario said that such an operation can work in a country like The Netherlands, where the public has trust in the government’s motives and capabilities, and where local laws support such action. However, its a model that might not scale globally, in countries where the government is not viewed with trust, or where laws prohibit such intrusions.
And, despite thousands of hours of work and analysis, its still not clear who created the Conficker worm or why it was created. There have been suggestions that the worm, which was used only briefly to distribute scareware, may have been a sophisticated ruse designed to divert attention from other, more dangerous goings on, or targeted attacks.
Nazario said he still doesn’t know where Conficker came from or what its purpose was, but said the lessons learned fighting the worm are still valuable.
“If it was a ruse, I’m hoping that what we’ve learned and built out of this – the e-mail addresses and the trust- have forced adjustments so that we can hit them harder and faster the next time.” Forming that capability is one of the fundamental challenges of the next five years, he said.