<h1>A Search Is Launched for Conficker's First Victim</h1>
<p><a href="http://www.pcworld.com/businesscenter/article/161630/a_search_is_launched_for_confickers_first_victim.html">http://www.pcworld.com/businesscenter/article/161630/a_search_is_launched_for_confickers_first_victim.html</a></p>
<p>Robert McMillan, IDG News Service</p>
<div id="articleText">
<div id="sidebar">
<div id="reviewFinder"><div class="form"><form id="rfForm" name="rfForm" action="/product/reviewfinder.html" method="get">
<div id="rfControls" style="display: none;">
<input name="prod_price" value="Maximum Price" onfocus="this.value=''" type="text">
<select name="sort_by">
<option value="1">Sort By</option>
<option value="1">Rating</option>
<option value="2">Rating Date</option>
<option value="3">Performance</option>
<option value="4">Price</option>
</select>
<a href="javascript:void(0)" class="button" onclick="return rfSubmit();">Get Reviews</a>
<a href="javascript:void(0)" onclick="return rfCatClose();">Close</a>
</div>
</form>
</div>
</div>
</div>
<div class="date">Friday, March 20, 2009 1:20 AM PDT</div>
<div class="articleBodyContent"><p><span class="image ltmd"><img src="http://images.pcworld.com/home/graphics/hp_083103_worms.jpg" alt="conficker worm"><div class="artCaption"><span class="credit">Graphic: Diego Aguirre</span></div>
</span>Where did the <a href="http://www.pcworld.com/businesscenter/article/161267/new_conficker_expected_april_1.html?tk=rel_news" target="_blank">Conficker worm </a>come
from? Researchers at the University of Michigan are trying to find out,
using a vast network of Internet sensors to track down the so-called
"patient zero" of an outbreak that has infected <a href="http://www.pcworld.com/businesscenter/article/158085/downadup_worm_eats_into_1_of_every_16_pcs.html?tk=rel_news" target="_blank">more than 10 million computers </a>to date. (Here's <a href="http://www.pcworld.com/article/157877/conficker_worm_attack_getting_worse_heres_how_to_protect_yourself.html?tk=rel_news" target="_blank">how to protect yourself</a>.)</p>
<p>The
university uses so-called darknet sensors that were set up about six
years ago in order to keep track of malicious activity. With funding
from the U.S. Department of Homeland Security, computer scientists have
banded together to share data collected from sensors around the world
place sensors around the world.</p>
<p>"The goal is to get close
enough so you can actually start mapping out how the spread started,"
said Jon Oberheide, a graduate student with the University of Michigan
who is working on the project.</p>
<p>That's not an easy job. To
find the minuscule clues that will identify the victim, researchers
must sift through more than 50 terabytes of data, hoping to find the
telltale signatures of a Conficker scan.</p>
<p>One of the ways that
Conficker moves about is by scanning the network for other vulnerable
computers, but it can be really hard to spot it for certain, Oberheide
said. "The hard thing is to find the exact Conficker scanning activity,
because there is a lot of other scanning going on," he said.</p>
<p>Tracking down patient zero has been done, however. In 2005, researchers <a href="http://www.cc.gatech.edu/%7Eakumar/witty-draft.pdf" target="_blank">tracked the 2004 Witty worm's first victim,</a> (pdf) a U.S. military base, and even identified the European IP address used to launch the attack.</p>
<p>It's been years since anything <a href="http://www.pcworld.com/article/160854/conficker_worm_strikes_back_with_new_variant.html?tk=rel_news" target="_blank">as widespread as Conficker</a> has surfaced however, so there have not been many chances to reproduce this effort.</p>
<p>When
Conficker first appeared in October, though, researchers caught a
break. Other worms had dodged this kind of analysis by blocking the
darknet IP addresses, but Conficker's authors didn't do that. "We were
kind of surprised that it did this completely random scan, and didn't
blacklist our particular sensors," Oberheide said. "If they'd done a
little bit of research, they could have discovered our [network]."</p>
<p>Soon
after the Conficker outbreak the Michigan researchers saw a big spike
on their sensors, which they attributed to the worm. The network was
collecting about 2G of data per hour in November, but these days it's
closer to 8G. "The increase in activity we've seen on these Darknet
sensors is… incredible," Oberheide said. "Now this data is actually
useful; we can go back six months and see what this worm was actually
doing," he added.</p>
<p>Another group, called CAIDA (the Cooperative Association for Internet Data Analysis) <a href="http://www.caida.org/research/security/ms08-067/conficker.xml" target="_blank">published</a>a
Conficker analysis earlier this month. The Michigan researchers hope to
post a similar analysis of their data in with the next few weeks, but
it could be months before they narrow things down to patient zero.</p>
<p>In
the meantime, "the goal is to get close enough so you can actually
start mapping out how the spread started," Oberheide said.</p></div>
</div>