[AfrICANN-discuss] A Search Is Launched for Conficker's First Victim

Anne-Rachel Inné annerachel at gmail.com
Fri Mar 20 21:16:26 SAST 2009

A Search Is Launched for Conficker's First Victim


Robert McMillan, IDG News Service
   Sort By Rating Rating Date Performance Price Get Reviews<javascript:void(0)>
Close <javascript:void(0)>
  Friday, March 20, 2009 1:20 AM PDT

[image: conficker worm]Graphic: Diego Aguirre
Where did the Conficker worm
from? Researchers at the University of Michigan are trying to find out,
using a vast network of Internet sensors to track down the so-called
"patient zero" of an outbreak that has infected more than 10 million
date. (Here's how to protect

The university uses so-called darknet sensors that were set up about six
years ago in order to keep track of malicious activity. With funding from
the U.S. Department of Homeland Security, computer scientists have banded
together to share data collected from sensors around the world place sensors
around the world.

"The goal is to get close enough so you can actually start mapping out how
the spread started," said Jon Oberheide, a graduate student with the
University of Michigan who is working on the project.

That's not an easy job. To find the minuscule clues that will identify the
victim, researchers must sift through more than 50 terabytes of data, hoping
to find the telltale signatures of a Conficker scan.

One of the ways that Conficker moves about is by scanning the network for
other vulnerable computers, but it can be really hard to spot it for
certain, Oberheide said. "The hard thing is to find the exact Conficker
scanning activity, because there is a lot of other scanning going on," he

Tracking down patient zero has been done, however. In 2005, researchers tracked
the 2004 Witty worm's first
victim,<http://www.cc.gatech.edu/%7Eakumar/witty-draft.pdf>(pdf) a
U.S. military base, and even identified the European IP address used
to launch the attack.

It's been years since anything as widespread as
surfaced however, so there have not been many chances to reproduce

When Conficker first appeared in October, though, researchers caught a
break. Other worms had dodged this kind of analysis by blocking the darknet
IP addresses, but Conficker's authors didn't do that. "We were kind of
surprised that it did this completely random scan, and didn't blacklist our
particular sensors," Oberheide said. "If they'd done a little bit of
research, they could have discovered our [network]."

Soon after the Conficker outbreak the Michigan researchers saw a big spike
on their sensors, which they attributed to the worm. The network was
collecting about 2G of data per hour in November, but these days it's closer
to 8G. "The increase in activity we've seen on these Darknet sensors is…
incredible," Oberheide said. "Now this data is actually useful; we can go
back six months and see what this worm was actually doing," he added.

Another group, called CAIDA (the Cooperative Association for Internet Data
Analysis) published<http://www.caida.org/research/security/ms08-067/conficker.xml>a
Conficker analysis earlier this month. The Michigan researchers hope to post
a similar analysis of their data in with the next few weeks, but it could be
months before they narrow things down to patient zero.

In the meantime, "the goal is to get close enough so you can actually start
mapping out how the spread started," Oberheide said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090321/cb6ddf6f/attachment.htm

More information about the AfrICANN mailing list