Highlights
– International coalition announces its plan to defeat the 10 million plus botnet created by the Conficker worm
– Researchers decode the Conficker worm and take steps to prevent infected computers from contacting potential command-and-control servers
– The sophistication of viruses and worms is likely to continue as authors build upon the weaknesses discovered by past malicious software
The Conficker computer worm – a self-replicating computer program – has infected an estimated 10 million personal computer (PC) systems running the Microsoft Windows operating system (OS) since it first surfaced in November 2008, and this large outbreak has caught the attention of security researchers, technology companies, and domain name registrars who have formed an international coalition to defeat the worm. On February 12, 2009, the international coalition announced that it had taken unprecedented steps to keep the worm separate from the command-and-control servers that could control it. On the same day, Microsoft announced it was offering a $250,000 reward for information that leads to the arrest and conviction of those responsible for launching the worm.
The worm spreads itself autonomously by infecting systems running the Microsoft Windows OS that have not been updated to fix a security vulnerability in the OS, has been creating a global botnet – a collection of computers infected by malicious software that are often controlled by a central server. As the worm has grown in size over the past several months, researchers have voiced their concerns over its ability to attack and cripple virtually any server on the Internet. An additional concern is that the worm could be leased out to spammers in order to spew billion of unsolicited commercial bulk e-mail (SPAM) messages.
The worm has also caught the attention of the United States (US) Federal Bureau of Investigation which has been trying to get investigative leads on the worm’s author by investigating those registering any of the domains randomly generated by the worm.
In the near to medium-term, we expect the actions by the international coalition to keep the worm a “sleeping giant” until information technology (IT) personnel and end users clean their infected systems and install the emergency software patch released by Microsoft in November 2008.
Implementing A Coordinated Strategy To Defeat The Worm
Since discovering the worm in November 2008, researchers have been hard at work dismantling the worm’s code to discover how it works, and have been using various techniques to measure how widespread the infection has become. After cracking the worm’s code shortly after the worm first surfaced, researchers learned that the worm would create a randomly generated list of 250 different domain names on a daily basis that it would attempt to contact. The researchers knew that the servers behind any one of those domains could be used to serve the millions of compromised computer systems worldwide additional malicious software or instructions that could lead to attacks on a specific target(s) or the beginning of a new wave of unrelenting spam e-mail messages.
With close to 2,000 domain names being generated by the worm each week, researchers and small private companies financially supporting the fees associated with registering each domain were starting to feel the financial burden and soon stopped registering the domains. Fearing a repeat of a similar botnet called “Srizbi” that sent billions of spam e-mail messages each day until it was temporarily taken offline in November 2008, the Internet Corporations for Assigned Names and Numbers (ICANN) stepped in to help. ICANN oversees the Internet’s Domain Name System (DNS), the translation of domain names into internet protocol (IP) addresses recognized by computer system, and after joining the efforts to stop the spread of the Conficker worm, stated that it would allow domain name registrars to set aside any domains sought by Conficker infected systems now or in the future. This unprecedented step by ICANN would effectively keep infected computers from contacting any command-and-control servers to receive further instructions or malicious software, and would give anti-virus manufactures time to disseminate updated software programs to remove the worm from infected systems and Microsoft time to continue its campaign to alert users of the need to patch their systems.
The antivirus firm Kaspersky has also taken a new approach in helping the Internet community fight the spread of the Conficker worm by teaming up with OpenDNS, a company that offers free DNS resolution for consumers and businesses as an alternative to using their ISP’s DNS servers. Kaspersky has decompiled the Conficker worm and understands the algorithm it uses to generate new domains. After generating this list each day, Kaspersky gives this list to OpenDNS which insures those using its service are blocked from visiting those sites, effectively stopping any infected computer systems from contacting a command-and-control server on a network that uses OpenDNS.
ICANN has stated that it will continue to work with the registry community to refine its policies on how to deal with future domain name-based threats, and in the long-term, we believe they will play an increasing roll in defeating massive botnets and the worms that create them.
Malicious Software Will Continue To Evolve
The Conficker worm highlights the continual evolution of viruses and worms as unscrupulous authors create more sophisticated programs that are more successful at defeating anti-virus programs and attempts by security experts to cut off access to massive botnets attempting to contact command-and-control servers. In the near to mid-term, we expect more authors of viruses and worms to modify current incarnations of these malicious programs to create new viruses and worms that are loadable onto more software platforms (computers and mobile phones), more difficult to remove, and more resilient in their ability to survive attempts to disrupt or shut down resulting botnets.
