Industry collaboration: Drumming up defenses

With no funding or charter, the Conficker Working Group has proven that industry collaboration can be effective, reports Angela Moscaritolo.

It's a plot straight out of a Hollywood blockbuster. A cybergang has unleashed a dangerous computer worm and managed to infect millions of PCs around the world. The group has taken control of these victimized computers and now has the capacity to inflict major damage via the internet. Individuals and enterprises scramble to clean up their infected computers, but the attackers' hold is strong. That's when an unlikely group of researchers from competing computer security companies band together to neutralize the threat.

It's not the plot of a film – not yet, at least. But it is a real threat named Conficker, one of the most sophisticated pieces of malware ever identified. The worm was let loose in late November 2008 and has so far infected an estimated 35 million systems, giving attackers control of a massive botnet of infected machines.

However, while the worm is responsible for the largest corporate malware outbreak in years, the computer security industry's response has fostered unprecedented collaboration that, by all accounts, has been an extraordinary success and will likely serve as the model for fighting future cyberthreats. That's because Conficker has led to the formation of the Conficker Working Group, individuals from 60 corporate, nonprofit, educational and government organizations, along with 116 domain registrars worldwide.

“The Conficker Working Group is the greatest collaboration of top level security experts for specific malware research in industry history,” says Eric Sites, CTO of antivirus vendor, Sunbelt Software and a member of the Conficker Working Group. “The collaborative efforts of the Conficker Working Group are responsible for preventing a large scale attack.” 

The group was founded because the individuals involved, many from competing security firms, believed that the threat posed by Conficker transcended profit margins and market share. In fact, the risk was so great that they refused to sit idly by and wait for law enforcement to take action. Something had to be done immediately.

“It was an amazing effort by a diverse group of people who came together and did the right thing,” says Rodney Joffe (left), SVP at domain name registrar NeuStar.

Conficker.A- and B-infected systems attempt to make contact with 250 websites every day using domain names that are generated by an algorithm within the malware. The websites serve as command-and-control hubs that allow those behind Conficker to maintain control of the botnet and issue further instructions to infected machines.

By reverse engineering the malware's code, security researchers cracked the domain-generation algorithm and were able to forecast all the websites to which infected bots would be checking in. Members of the coalition then preregistered the domains before attackers could.

“By having all those domains registered by Conficker Working Group, the traffic destined for those domains from the infected bots was instead going to [the group]. This allowed us to get more information into the traffic we saw,” says André DiMino, director of the Shadowserver Foundation, a volunteer internet security watchdog group.

Analyzing the malware and information obtained about infected machines required cooperation among researchers who work for anti-virus companies that ordinarily compete with one another, Joffe said. In addition, the move to register the domains before the bot herder did is one that required coordination among top level domain operators (TLD), such as VeriSign, NeuStar and the Internet Corp. for Assigned Names and Numbers (ICANN), a nonprofit responsible for allocation of IP space on the internet.

ICANN's involvement in the Conficker Working Group has been particularly groundbreaking, DiMino says. The nonprofit's main responsibility has been to assure domain registrars that they were not breaking any rules by allowing the coalition exclusive rights to the rogue domains, says Greg Rattray, chief internet security adviser at ICANN.

“The domain name space is supposed to be a free market and you're not supposed to take the free market out of play,” Rattray says. “This is treading new ground.”

Subsequently, nine TLDs were written into the worm's algorithm, including .org, .biz and .info, along with two “country code” domains – .cn (China) and .ws (Western Samoa). ICANN also worked to get the .cn and .ws providers on board, with whom the nonprofit did not previously have an existing relationship because they are country owned, says Rattray.

Later, when Conficker mutated into variant C, the task of registering domains got much more challenging because the worm's authors moved from a 250-a-day domain-generation algorithm across nine TLDs to a new one that generated 50,000 domain names a day across 116 TLDs. Also, some of the registries that Conficker's authors picked were small operations located in underdeveloped countries.

“They made the assumption that we wouldn't be able to reach out to all the TLDs and overcome all those barriers,” Joffe says. “Somehow the Conficker Working Group was able to do it.”

In all, millions of domains were pre-registered and the group was able to successfully neutralize early variants of the worm by releasing the attackers' hold on infected machines.

“This threat was largely unknown at the onset and morphed substantially over time,” says Kris Lamb, director of IBM's X-Force research and development team. “The group is significant because without it and much of the knowledge that came out of it, security providers would have found it much more challenging to put protections in place for customers and evolve protections over time.” 

The fight rages on

But even with the group's successful mitigation efforts, 6.5 million systems remain infected with the worm, according to estimates. In the most recent variants, drone machines making up the Conficker botnet still can communicate through peer-to-peer functionality, meaning compromised computers on the same local network can exchange instructions.

Currently, members of the group are actively working to combat the latest variants of Conficker – and will continue their efforts as the worm mutates in the future, Joffe says. Also, the group is working to reignite public awareness about Conficker since so many systems remain infected, even though there are free removal tools available.

Some members of the group are pushing to publicize the IP addresses of systems still infected with the Conficker worm to encourage individuals to clean up the infections. For now, the group is planning to take a less drastic approach to encourage remediation efforts by providing a list of infected IP addresses to a number of trade organizations, hoping they will put pressure on members who have infections in their networks to remove the malware.

In addition, the group has already provided data obtained about the Conficker worm and botnet to the National Cyber-Forensics and Training Alliance (NCFTA), a Pittsburgh-based nonprofit law enforcement group tasked by the federal government to investigate and find those behind the threat.

For an informal group with no funding, charter or membership agreement, the Conficker Working Group has proven that industry collaboration is not only possible, but effective, say industry analysts. The group's success has even attracted White House-level attention and Joffe has briefed numerous federal government agencies about the group's work.

“This will serve as a model in the future,” Joffe says. “Within government, this is being pointed to as the model, or poster child, that collaboration within private industry really can work across borders. We were able to get collaboration in ways that had never been seen before.”


Statistics: Conficker

Total infections to date: 35 million unique IPs.
Variants: Conficker.A, Conficker.B, Conficker.C/Conficker.B++, Conficker.D.
Aliases: Downup, Downadup and Kido
Date the latest version was first detected: March 4, 2009

Up close: Conficker Working Group:

Formed: February 2009.
Membership base: Some members of the group would rather not be identified, but the public-facing members include: 1and1, Afilias, AOL, Arbor, Cisco, ESET, F-Secure, Facebook, Georgia Institute of Technology, Global Domains International, IBM-ISS, ICANN, Internet Storm Center, Internet Systems Consortium, IT-ISAC, Juniper, Kaspersky, McAfee, Microsoft, Neustar, NIC Chile, SecureWorks, Shadowserver, Sophos, SRI International, Support Intelligence, Symantec, Team Cymru, Trend Micro, Verisign.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.