Conficker Worm Draws a Counter-Attack

In response to the Conficker worm's massive infection of millions of PCs worldwide, industry heavyweights including Microsoft, Symantec and others today announced they're forming a new team to fight back against the worm.

In addition to the team's mission to grab domain names Conficker (aka Downadup) might try to use, Microsoft is offering a fat $250,000 reward for information that leads to the arrest and conviction of those responsible for the worm. The reward is available to residents of any country, Microsoft says.

Conficker's Achilles heel is its need to receive orders from a server on the Internet. The worm checks a list of up to 250 different domain names each day for instructions.

Normally, cycling through 250 different names would likely be enough to ensure that the good guys would be unable to keep up, as Conficker's controllers would theoretically only have to register one of those domains per day to control their massive herd of malware. But Conficker's notoriety has prompted the companies to coordinate their efforts and try to nab all the potential domain registrations before the bad guys can.

Doing so would restrict the worm to receiving updates or instructions only through its secondary peer-to-peer capability, according to Symantec. From the description, that secondary ability would likely limit the worm to making a peer-to-peer connection only with infected PCs on the same local network.

According to Symantec's announcement, the team includes "Microsoft, ICANN, Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence."

If anyone does manage to register one of the domains before the team does, the team will investigate its owner.

This is a good step, and one I'd sure like to see taken further. This team should stick around after Conficker and continue to work to deny the bad guy's use of domain names, hosting providers and other infrastructure required by the malware black market.

I do wonder, though, why Microsoft didn't set up a phone number or other central point of contact for collecting information about Conficker. The company says that "individuals with information about the Conficker worm should contact their international law enforcement agencies."

Subscribe to the Security Watch Newsletter

Comments