<a href="http://gcn.com/Articles/2010/03/19/Conficker-cleanup-031910.aspx?p=1">http://gcn.com/Articles/2010/03/19/Conficker-cleanup-031910.aspx?p=1</a><br><br><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: medium; "><h3 id="ctl03_MainHeading" class="title" style="font-family: Arial, Helvetica, sans-serif; font-size: 18px; font-weight: 700; color: rgb(51, 51, 51); padding-left: 10px; margin-left: 10px; ">
Have agencies scrubbed the Conficker worm from their systems?</h3><ul id="ctl03_ByAuthor" class="byline"><li class="author" style="font-family: Arial, Helvetica, sans-serif; font-size: 12px; font-weight: 700; color: rgb(51, 51, 51); ">
By <a href="http://gcn.com/forms/emailtoauthor.aspx?AuthorItem={C4126F0C-6B16-4232-985C-93F86A33A188}&ArticleItem={D16E7BF2-CD6D-4F52-819F-1AFAF3AB45E6}">William Jackson</a></li><li class="date" style="font-family: Arial, Helvetica, sans-serif; font-size: 11px; font-weight: 700; color: rgb(51, 51, 51); ">
Mar 19, 2010</li></ul><div style="text-align: left;">A company that has been tracking the scanning activity of the prolific Conficker worm says that traffic from infected government systems has dropped off significantly in recent months, which could indicate a successful effort to remediate infections.</div>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
“We started to notice a decrease over the last two or three months,” said Rodney Joffe, senior vice president and technologist at Neustar Inc., a directory services provider that administers the domain name registry for the .US country code top level domain for the Commerce Department.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
The number of infected government systems dropped from a peak of tens of thousands. “Now they are down to less than 40 systems in the entire U.S. federal network,” he said.</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
The Homeland Security Department, which runs the U.S. Computer Emergency Readiness Team, did not immediately respond to requests for comment.</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
Joffe, who also is director of the Conficker Working Group, said the apparently successful eradication of a worm that has proved to be surprisingly resilient for more than a year is good news, even if the government has not yet said how it was done.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
“For the first time the government is taking the lead in a technical security issue, rather than lagging,” he said. “If they can do it, there is no excuse for other enterprises not to. It is obviously possible to remediate.”</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
Joffe said the working group hopes to have details of the government effort available for a “lessons learned” paper the group plans to publish in the coming months.</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
The worm, also known as W32.Downadup, has infected more than 10 million computers since its appearance in late 2008, and although the infected machines do not appear to have engaged in large scale malicious activity, the worm is troublesome because of its ability to update itself and morph into new forms. It also can disable security features of infected computers such as Windows Update and antivirus tools.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
“It is incredibly robust,” Joffe said. “It doesn’t seem to get remediated successfully and there continue to be outbreaks.”</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
He said the worm has a good command of Windows internals and network layer traffic, and also has developed the unusual ability to download and execute code without rebooting the infected system, a feat that Joffe likened to changing the tires on a moving car.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
The original W32.Downadup.A exploited only the MS08-067 vulnerability in Windows XP Service Pack 2 and Windows 2003 Service Pack 1 operating systems, for which Microsoft issued an unusual patch outside of its regular monthly patching cycle. A subsequent .B variant added password guessing and the ability to copy itself to USB drives to its bag of exploits, and a .C variant added an additional layer of protection.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
The worm uses an algorithm to generate a pseudo-random list of domains for its command and control network, which its infected clients check daily for instructions. Security analysts said the .C variant uses a new algorithm to determine what domains to contact. It went from generating 500 domains a day to 50,000 domains with the new algorithm. Because a command and control server can be a weak spot whose elimination can disable a botnet, this could make Conficker more difficult to attack.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
A later version, .E, uses peer-to-peer networking for command and control. “At that point we lost visibility into infected machines,” Joffe said. But an estimated 6.5 million machines remain infected by earlier versions that use daily call-ups that can be tracked. It is that traffic that indicates a federal clean-up, he said.</p>
<p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
“We see the check-in every day,” he said. “It appears they have across the entire federal government been remediating Conficker. We’re pretty sure the federal government has done something no one else has.”</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
</p><div class="aboutAuthor"><p id="ctl03_AuthorInfo_AboutAuthor" class="author" style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(51, 51, 51); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; font-weight: 700; ">
About the Author</p><p style="text-align: left;font-family: Arial, Helvetica, sans-serif; font-size: 12px; color: rgb(0, 0, 0); text-decoration: none; margin-top: 0px; margin-right: 10px; margin-bottom: 0px; margin-left: 10px; padding-top: 10px; padding-right: 10px; padding-bottom: 10px; padding-left: 10px; ">
<strong></strong>William Jackson is a senior writer for GCN and the author of the <a href="http://gcn.com/articles/list/cybereye.aspx">CyberEye</a> column. </p></div></span>