Conficker (aka Downadup) has turned out to be an annoyingly persistent pest, worming its way around actively for almost four months now.
In a high-profile effort to stem the worm’s continued re-spawning, Microsoft, Symantec and a crew of partners including ICANN, VeriSign, Neustar, Public Internet Registry, F-Secure, AOL, Support Intelligence and Arbor Networks unveiled a new alliance today aimed at trying to stomp the attack out by going after its very roots.
The effort specifically contends that it can help stop the worm by cutting off its domain name absorption patterns. However, as an added incentive that highlights how much trouble Conficker has wreaked, Microsoft has also posted a $250,000 (not million, hahaha, my bad!) bounty for anyone who can turn over the individual(s) responsible for launching the campaign.
Dr. Jose Nazario of Arbor, which specializes in security monitoring systems used by major infrastructure providers and large enterprises, has been one of the most recognizable experts tracking the escalation of botnets and other forms of mass-malware threats like Conficker, for a number of years.
In an interesting follow up to the alliance announcement, Nazario posted some additional details about the anti-Conficker effort on Arbor’s blog today.
Conficker’s unique makeup that has employed USB memory devices to spread itself in addition to more typical TCP/445 transit makes it truly potent with the attack “spreading like wildfire in the enterprise,” Nazario writes.
The expert outlines one of the techniques that the alliance, or “Conficker Cabal” has been employing to try take over domain names they believe will be next used in the attack via proactive pre-registration.
Broken open by researchers at F-Secure, the algorithm involved driving Conficker’s domain consumption attempts to use a “long list of psuedo-randomly generated domain names to contact over HTTP and then grab new code,” the expert said.
Having cracked the code, alliance members believe that they can now get ahead of the threat and choke it off now. Only the team efforts of F-Secure, Microsoft, ICANN, TLD ops and influential registrars, among others, have made the effort possible, he said.
However, despite all the optimism, the security community shouldn’t assume that it’s game over.
“Just because the bot’s update mechanism appears to be cut off doesn’t mean that it’s no longer a problem,” writes Nazario.