Microsoft leads collaboration to subdue Conficker botnet

Share this article:
Microsoft is leading an unprecedented industry charge to disarm the pernicious Conficker worm, which has resulted in the largest corporate malware outbreak in years.

The worm's malicious code that is installed on victim machines -- totaling up to 12 million worldwide -- is programmed to check in daily with about 250 unique domains for further instructions from the command-and-control server. So far, though, the bot controller has not registered any of the domains; therefore, compromised computers have been sitting silently, awaiting the go-ahead to act.

Microsoft and a number of technology, academic and research organizations announced Thursday that they are trying to head off this potential before it leads to the spread of spam or additional malware, or the launch of a destructive denial-of-service attack.

Recently, F-Secure was able to reverse engineer the malware's code, allowing this newly formed coalition to register the domain names before the bot herders can. The domains under control by the Microsoft-led group -- now numbering in the tens of thousands -- are being directed to servers that can log and track infected systems, according to Symantec.

"What really spurred this is the sense that, given the large number of infections, this bot network could cause a lot of trouble," Kevin Haley, director of product management at Symantec, told "It's too dangerous to sit around and just let it be there."

The move to register the domains before the bot herder can is one that requires coordination among top-level domain operators, such as VeriSign and NeuStar, said Greg Rattray, chief internet security adviser with the Internet Corp. for Assigned Names and Numbers (ICANN), a nonprofit responsible for allocation of IP space on the internet.

Nine domains were written into the worm's algorithm, including two "country code" domains -- .cn (China) and .ws (Western Samoa) -- with whom ICANN does not have an existing relationship because they are country owned, Rattray said. ICANN's main responsibility was getting these providers on board, as well as assuring existing partners that they were not breaking any rules by allowing the Microsoft-led coalition exclusive rights to the rogue domains.

"In general, the domain name space is supposed to be a free market and you're not supposed to take the free market out of play," Rattray told "This is treading new ground."

Even with this new strategy, the drone machines making up the Conficker botnet still can communicate with each other through peer-to-peer functionality, meaning compromised computers on the same local network can exchange instructions, Haley said. But this is a far less effective technique because it relies on the machines to stay infected.

Meanwhile, Microsoft also announced Thursday that it was offering a $250,000 reward for the arrest and conviction of the masterminds of Conficker, also known as Downadup.

Jose Nazario, manager of  research at network security firm Arbor Networks, said the collaboration will prevent the malware outbreak from getting worse.

"It hopefully shows attackers that the good guys own DNS (Domain Name System) and the good guys can basically shut you out when needed," Nazario said.

Nazario said Microsoft is registering many of the domains and was receiving a discount, but it was not immediately clear how much they were paying. A typical domain costs about $15 to register.

The SANS Internet Storm Center on Friday posted a comprehensive list of Conficker resources, such as links to removal tools.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.