Lessons Learned

Conficker Group
jd@workathomebusinesssecrets.ws
 

Official Conficker Working Group "Lessons Learned" Published

The official Conficker Working Group "Lessons Learned" document, produced by The Rendon Group based upon work supported by the Department of Homeland Security, has been published. The detailed 50 page report provides an in depth examination of the Conficker virus and the successful effort to combat it that brought together industry leaders from across the technical community.

Read Full Report

Selected excerpts below (subheaders and bolding added):

Executive Summary - "With millions of computers under its control, many security experts speculated as to what the author would attempt to do. The worst case scenarios were bleak. The worm, properly instructed, could credibly threaten critical infrastructure on the Internet. Even the more benign uses could cause severe problems for the public or private sector.

In an unprecedented act of coordination and collaboration, the cybersecurity community, including Microsoft, ICANN, domain registry operators, anti-virus vendors, and academic researchers organized to block the infected computers from reaching the domains – an informal group that was eventually dubbed the Conficker Working Group (CWG). They sought to register and otherwise block domains before the Conficker author, preventing the author from updating the botnet. Despite a few errors, that effort was very successful."

The Early Days - "Early on, several researchers were paying for and registering the vulnerable domains by hand, one-by-one. Some were discussing the possibility of doing so in a comprehensive way. Others were getting access to domains so they could sinkhole the data and learn more about the infection. Among those groups, one interviewee pointed to the early efforts of F-Secure and the registry .WS. Both had used various data and shared that data with others, which helped determine the scope of the threat in the early months."

Registry Role - "The registries of the Top Level Domains that were affected by Conficker A and B played an important role in getting the effort to register domains off the ground and determined the makeup of the group early on. Three companies (Verisign, Neustar and Afilias) managed the TLDs .com, net, .org, .info, and .biz. This made the participation and cooperation of these three companies. vital to the effort to register the domains and maintain the effort over time. Additionally, the early participation of .WS helped block a significant number of domains and shared their data with the Working Group."

Conficker Working Group Goes Public, Reward Offered - "On February 12, 2009, the Conficker Working Group was publicly announced and Microsoft offered a $250,000 reward for information leading to the arrest of the worm's creator. The Microsoft reward offer received far more attention than the cooperation of the Working Group. The announcement named as key contributors to the Working Group ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence."