Application security, Network Security

Microsoft leads collaboration to subdue Conficker botnet

Microsoft is leading an unprecedented industry charge to disarm the pernicious Conficker worm, which has resulted in the largest corporate malware outbreak in years.

The worm's malicious code that is installed on victim machines -- totaling up to 12 million worldwide -- is programmed to check in daily with about 250 unique domains for further instructions from the command-and-control server. So far, though, the bot controller has not registered any of the domains; therefore, compromised computers have been sitting silently, awaiting the go-ahead to act.

Microsoft and a number of technology, academic and research organizations announced Thursday that they are trying to head off this potential before it leads to the spread of spam or additional malware, or the launch of a destructive denial-of-service attack.

Recently, F-Secure was able to reverse engineer the malware's code, allowing this newly formed coalition to register the domain names before the bot herders can. The domains under control by the Microsoft-led group -- now numbering in the tens of thousands -- are being directed to servers that can log and track infected systems, according to Symantec.

"What really spurred this is the sense that, given the large number of infections, this bot network could cause a lot of trouble," Kevin Haley, director of product management at Symantec, told "It's too dangerous to sit around and just let it be there."

The move to register the domains before the bot herder can is one that requires coordination among top-level domain operators, such as VeriSign and NeuStar, said Greg Rattray, chief internet security adviser with the Internet Corp. for Assigned Names and Numbers (ICANN), a nonprofit responsible for allocation of IP space on the internet.

Nine domains were written into the worm's algorithm, including two "country code" domains -- .cn (China) and .ws (Western Samoa) -- with whom ICANN does not have an existing relationship because they are country owned, Rattray said. ICANN's main responsibility was getting these providers on board, as well as assuring existing partners that they were not breaking any rules by allowing the Microsoft-led coalition exclusive rights to the rogue domains.

"In general, the domain name space is supposed to be a free market and you're not supposed to take the free market out of play," Rattray told "This is treading new ground."

Even with this new strategy, the drone machines making up the Conficker botnet still can communicate with each other through peer-to-peer functionality, meaning compromised computers on the same local network can exchange instructions, Haley said. But this is a far less effective technique because it relies on the machines to stay infected.

Meanwhile, Microsoft also announced Thursday that it was offering a $250,000 reward for the arrest and conviction of the masterminds of Conficker, also known as Downadup.

Jose Nazario, manager of  research at network security firm Arbor Networks, said the collaboration will prevent the malware outbreak from getting worse.

"It hopefully shows attackers that the good guys own DNS (Domain Name System) and the good guys can basically shut you out when needed," Nazario said.

Nazario said Microsoft is registering many of the domains and was receiving a discount, but it was not immediately clear how much they were paying. A typical domain costs about $15 to register.

The SANS Internet Storm Center on Friday posted a comprehensive list of Conficker resources, such as links to removal tools.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.