Home / News

ICANN Security Team Reports on Conficker Post-Discovery Analysis

A paper released today by ICANN provides a chronology of events related to the containment of the Conficker worm. The report, “Conficker Summary and Review (PDF),” is authored by Dave Piscitello, ICANN’s Senior Security Technologist on behalf of the organization’s security team. Below is the introduction excerpt from the paper:

The Conficker worm first appeared in October 2008 and quickly earned as much notoriety as Code Red, Blaster, Sasser and SQL Slammer. The infection is found in both home and business networks, including large multi?national enterprise networks. Attempts to estimate the populations of Conficker infected hosts at any given time have varied widely, but all estimates exceed millions of personal computers.

The operational response to Conficker is perhaps as landmark an event as the worm itself. Internet security researchers, operating system and antivirus software vendors discovered the worm in late 2008. These parties as well as law enforcement formed an ad hoc effort with ICANN, Top Level Domain (TLD) registries and registrars around the world to contain the threat by preventing Conficker malware writers from using tens of thousands of domain names algorithmically?generated daily by the Conficker infection.

Conficker malware writers made use of domain names rather than IP addresses to make their attack networks resilient against detection and takedown. Initial countermeasures—sinkholing or preemptive registrations of domains used to identify Conficker’s command and control (C&C) hosts—prevented the malware writers from communicating with Conficker?infected systems and thus, presumably prevented the writers from instructing the botted hosts to conduct attacks or to receive updates. The Conficker malware writers responded to this measure by introducing variants to the original infection that increased the number of algorithmically generated domain names and distributed the names more widely across TLDs. To respond to this escalation, parties involved in containing Conficker contacted more than 100 TLDs around the world to participate in the containment effort.

The combined efforts of all parties involved in the collaborative response should be measured by more criteria than mitigation alone. The containment measures did not eradicate the worm or dismantle the botnet entirely. Still, the coordinated operational response merits attention because the measures disrupted botnet command and control communications and caused Conficker malware writers to change their behavior. The collaborative effort also demonstrated that security communities are willing and able to join forces in response to incidents that threaten the security and stability of the DNS and domain registration systems on a global scale.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign