[AfrICANN-discuss] ICANN Security Team Reports on Conficker Post-Discovery Analysis

Tue May 11 20:08:04 SAST 2010

 ICANN Security Team Reports on Conficker Post-Discovery
Analysis<http://www.circleid.com/posts/icann_security_team_reports_on_conficker_post_discovery_analysis/>

   http://www.circleid.com/posts/icann_security_team_reports_on_conficker_post_discovery_analysis/

   <http://www.circleid.com/posts/icann_security_team_reports_on_conficker_post_discovery_analysis/>
   - May 11, 2010 10:13 AM PDT
   - Comments: 0<http://www.circleid.com/posts/icann_security_team_reports_on_conficker_post_discovery_analysis/#comments>
   - Views: 91

 Print<http://www.circleid.com/posts/print/icann_security_team_reports_on_conficker_post_discovery_analysis/>
Comment<http://www.circleid.com/posts/icann_security_team_reports_on_conficker_post_discovery_analysis/#add_comment>
By *CircleID Reporter* <http://www.circleid.com/members/501/>

A paper released today by ICANN provides a chronology of events related to
the containment of the Conficker worm. The report, "*Conficker Summary and
Review (PDF<http://icann.org/en/security/conficker-summary-review-07may10-en.pdf>
)*," is authored by Dave Piscitello, ICANN's Senior Security Technologist on
behalf of the organization's security team. Below is the introduction
excerpt from the paper:

*The Conficker worm first appeared in October 2008 and quickly earned as
much notoriety as Code Red, Blaster, Sasser and SQL Slammer. The infection
is found in both home and business networks, including large multi‐national
enterprise networks. Attempts to estimate the populations of Conficker
infected hosts at any given time have varied widely, but all estimates
exceed millions of personal computers.*
*

The operational response to Conficker is perhaps as landmark an event as the
worm itself. Internet security researchers, operating system and antivirus
software vendors discovered the worm in late 2008. These parties as well as
law enforcement formed an ad hoc effort with ICANN, Top Level Domain (TLD)
registries and registrars around the world to contain the threat by
preventing Conficker malware writers from using tens of thousands of domain
names algorithmically‐generated daily by the Conficker infection.

Conficker malware writers made use of domain names rather than IP addresses
to make their attack networks resilient against detection and takedown.
Initial countermeasures—sinkholing or preemptive registrations of domains
used to identify Conficker's command and control (C&C) hosts—prevented the
malware writers from communicating with Conficker‐infected systems and thus,
presumably prevented the writers from instructing the botted hosts to
conduct attacks or to receive updates. The Conficker malware writers
responded to this measure by introducing variants to the original infection
that increased the number of algorithmically generated domain names and
distributed the names more widely across TLDs. To respond to this
escalation, parties involved in containing Conficker contacted more than 100
TLDs around the world to participate in the containment effort.
*

*The combined efforts of all parties involved in the collaborative response
should be measured by more criteria than mitigation alone. The containment
measures did not eradicate the worm or dismantle the botnet entirely. Still,
the coordinated operational response merits attention because the measures
disrupted botnet command and control communications and caused Conficker
malware writers to change their behavior. The collaborative effort also
demonstrated that security communities are willing and able to join forces
in response to incidents that threaten the security and stability of the DNS
and domain registration systems on a global scale.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20100511/beab4abc/attachment-0001.htm