With global effort, a new type of worm is slowed
There have been big computer worm outbreaks before, but nothing quite like Conficker.
First spotted in November, the worm had soon infected more computers than any worm in recent years. By some estimates it is now installed on more than 10 million PCs. But ever since its first appearance, it has been strangely quiet. Conficker infects PCs and spreads around networks, but it doesn't do anything else. It could be used to launch a massive cyberattack, crippling virtually any server on the Internet, or it could be leased out to spammers in order to pump out billions upon billions of spam messages. Instead, it sits there, a massive engine of destruction waiting for someone to turn the key.
Until recently, many security researchers simply didn't know what the Conficker network was waiting for. On Thursday, however, an international coalition revealed that they had taken unprecedented steps to keep the worm separate from the command-and-control servers that could control it. The group is comprised of security researchers, technology companies, domain name registrars who have joined forces with the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the Internet's Domain Name System.
Researchers had taken apart Conficker's code and discovered that it uses a tricky new technique to phone home for new instructions. Each day, the worm generates a fresh list of about 250 random domain names such as aklkanpbq.info. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author.
When Conficker's code was first cracked, security experts snatched up some of these randomly generated domains, creating what are known as sinkhole servers to receive data from hacked machines and observe how the worm worked. But as the infection became more widespread, they began registering all of the domains -- close to 2,000 per week -- taking them out of circulation before criminals had a chance to tell their infected computers what to do. If ever the bad guys tried to register one of these command-and-control domains, they would have found that they'd already been taken, by a fictional group calling itself the "Conficker Cabal." Its address? 1 Microsoft Way, Redmond Washington.
This is a new kind of cat-and-mouse game for researchers, but it has been tested a few times over the past few months. In November, for example, another group used the technique to take control of domains used by one of the world's largest botnet networks, known as Srizbi, cutting it off from its command-and-control servers.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
conficker
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
