The Story of Conficker, part 2
The Conficker Working Group Is Born
In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.
By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.
Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year’s worth of Conficker domain names and proactively point them at the group’s sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.
The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.