|
||
A paper released today by ICANN provides a chronology of events related to the containment of the Conficker worm. The report, “Conficker Summary and Review (PDF),” is authored by Dave Piscitello, ICANN’s Senior Security Technologist on behalf of the organization’s security team. Below is the introduction excerpt from the paper:
The Conficker worm first appeared in October 2008 and quickly earned as much notoriety as Code Red, Blaster, Sasser and SQL Slammer. The infection is found in both home and business networks, including large multi?national enterprise networks. Attempts to estimate the populations of Conficker infected hosts at any given time have varied widely, but all estimates exceed millions of personal computers.
The operational response to Conficker is perhaps as landmark an event as the worm itself. Internet security researchers, operating system and antivirus software vendors discovered the worm in late 2008. These parties as well as law enforcement formed an ad hoc effort with ICANN, Top Level Domain (TLD) registries and registrars around the world to contain the threat by preventing Conficker malware writers from using tens of thousands of domain names algorithmically?generated daily by the Conficker infection.
Conficker malware writers made use of domain names rather than IP addresses to make their attack networks resilient against detection and takedown. Initial countermeasures—sinkholing or preemptive registrations of domains used to identify Conficker’s command and control (C&C) hosts—prevented the malware writers from communicating with Conficker?infected systems and thus, presumably prevented the writers from instructing the botted hosts to conduct attacks or to receive updates. The Conficker malware writers responded to this measure by introducing variants to the original infection that increased the number of algorithmically generated domain names and distributed the names more widely across TLDs. To respond to this escalation, parties involved in containing Conficker contacted more than 100 TLDs around the world to participate in the containment effort.
The combined efforts of all parties involved in the collaborative response should be measured by more criteria than mitigation alone. The containment measures did not eradicate the worm or dismantle the botnet entirely. Still, the coordinated operational response merits attention because the measures disrupted botnet command and control communications and caused Conficker malware writers to change their behavior. The collaborative effort also demonstrated that security communities are willing and able to join forces in response to incidents that threaten the security and stability of the DNS and domain registration systems on a global scale.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
A World-Renowned Source for Internet Developments. Serving Since 2002.