Cabal Takes On Conficker's Domain

By Matthew Hines  |  Posted 2009-02-12 Print this article Print

Conficker (aka Downadup) has turned out to be an annoyingly persistent pest, worming its way around actively for almost four months now.

In a high-profile effort to stem the worm's continued re-spawning, Microsoft, Symantec and a crew of partners including ICANN, VeriSign, Neustar, Public Internet Registry, F-Secure, AOL, Support Intelligence and Arbor Networks unveiled a new alliance today aimed at trying to stomp the attack out by going after its very roots.

The effort specifically contends that it can help stop the worm by cutting off its domain name absorption patterns. However, as an added incentive that highlights how much trouble Conficker has wreaked, Microsoft has also posted a $250,000 (not million, hahaha, my bad!) bounty for anyone who can turn over the individual(s) responsible for launching the campaign.

Dr. Jose Nazario of Arbor, which specializes in security monitoring systems used by major infrastructure providers and large enterprises, has been one of the most recognizable experts tracking the escalation of botnets and other forms of mass-malware threats like Conficker, for a number of years.

In an interesting follow up to the alliance announcement, Nazario posted some additional details about the anti-Conficker effort on Arbor's blog today.

Conficker's unique makeup that has employed USB memory devices to spread itself in addition to more typical TCP/445 transit makes it truly potent with the attack "spreading like wildfire in the enterprise," Nazario writes.

The expert outlines one of the techniques that the alliance, or "Conficker Cabal" has been employing to try take over domain names they believe will be next used in the attack via proactive pre-registration.

Broken open by researchers at F-Secure, the algorithm involved driving Conficker's domain consumption attempts to use a "long list of psuedo-randomly generated domain names to contact over HTTP and then grab new code," the expert said.

Having cracked the code, alliance members believe that they can now get ahead of the threat and choke it off now. Only the team efforts of F-Secure, Microsoft, ICANN, TLD ops and influential registrars, among others, have made the effort possible, he said. However, despite all the optimism, the security community shouldn't assume that it's game over.

"Just because the bot's update mechanism appears to be cut off doesn't mean that it's no longer a problem," writes Nazario.

My iPod had a funny hang-up the other day and I'm sitting there looking at it thinking... how would I even know?

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel