ArchiveOODA OriginalRisk Intel Report

Cyber: Security Community Bans Together To Defeat Worm

Highlights – International coalition announces its plan to defeat the 10 million plus botnet created by the Conficker worm – Researchers decode the Conficker worm and take steps to prevent infected computers from contacting potential command-and-control servers – The sophistication of viruses and worms is likely to continue as authors build upon the weaknesses discovered by past malicious software The Conficker computer worm – a self-replicating computer program – has infected an estimated 10 million personal computer (PC) systems running the Microsoft Windows operating system (OS) since it first surfaced in November 2008, and this large outbreak has caught the attention of security researchers, technology companies, and domain name registrars who have formed an international coalition to defeat the worm. On February 12, 2009, the international coalition announced that it had taken unprecedented steps to keep the worm separate from the command-and-control servers that could control it. On the same day, Microsoft announced it was offering a $250,000 reward for information that leads to the arrest and conviction of those responsible for launching the worm. The worm spreads itself autonomously by infecting systems running the Microsoft Windows OS that have not been updated to fix a security vulnerability in the OS, has been creating a global botnet – a collection of computers infected by malicious software that are often controlled by a central server. As the worm has grown in size over the past several months, researchers have voiced their concerns over its ability to attack and cripple virtually any server on the Internet. An additional concern is that the worm could be leased out to spammers in order to spew billion of unsolicited commercial bulk e-mail (SPAM) messages. The worm has also caught the attention of the United States (US) Federal Bureau of Investigation which has been trying to get investigative leads on the worm’s author by investigating those registering any of the domains randomly generated by the worm. In the near to medium-term, we expect the actions by the international coalition to keep the worm a “sleeping giant” until information technology (IT) personnel and end users clean their infected systems and install the emergency software patch released by Microsoft in November 2008. Implementing A Coordinated Strategy To Defeat The Worm Since discovering the worm in November 2008, researchers have been hard at work dismantling the worm’s code to discover how it works, and have been using various techniques to measure how widespread the infection has become. After cracking the worm’s code shortly after the worm first surfaced, researchers learned that the worm would create a randomly generated list of 250 different domain names on a daily basis that it would attempt to contact. The researchers knew that the servers behind any one of those domains could be used to serve the millions of compromised computer systems worldwide additional malicious software or instructions that could lead to attacks on a specific target(s) or the beginning of a new wave of unrelenting spam e-mail messages. With close to 2,000 domain names being generated by the worm each week, researchers and small private companies financially supporting the fees associated with registering each domain were starting to feel the financial burden and soon stopped registering the domains. Fearing a repeat of a similar botnet called “Srizbi” that sent billions of spam e-mail messages each day until it was temporarily taken offline in November 2008, the Internet Corporations for Assigned Names and Numbers (ICANN) stepped in to help. ICANN oversees the Internet’s Domain Name System (DNS), the translation of domain names into internet protocol (IP) addresses recognized by computer system, and after joining

Want more insight?

This content is restricted to members only. Members get access to all of the content on this site. This includes over 3000 Risk Intel Reports, the Attack Database (10,000 entries), over 3000 Intel Advisories, Threat Group Profiles on 500+ groups and over 100,000 curated OSINT excerpts. Your membership also supports the cost of producing our hand-curated Daily OSINT report.

Please consider becoming a member. For more information please click here. Thanks!
OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.