Has Conficker spurred a new model for security response?
Fight against worm unites public and private sectors
- By William Jackson
- May 10, 2010
The Internet has developed into a single infrastructure that recognizes no national boundaries and is increasingly important to the global economy, but it has developed without any corresponding framework for dealing with growing online threats.
“There are no internationally established policies and procedures” for responding to worms, viruses, Trojans, and other malicious code and activities, said Dean Turner, director of Symantec’s Global Intelligence Network.
The information technology security industry is pretty good about cooperating, but outside that relatively small world, cooperation typically relies on one-to-one relationships, with no established system for broader partnerships. This puts the good guys at a disadvantage when going up against the bad guys.
Beware the ides of April
Have agencies scrubbed Conficker worm from their systems?
But that might have changed with the emergence of the Conficker worm in late 2008. The first major outbreak of a network-aware worm in four years resulted in the formation of an ad hoc partnership that became formalized as the Conficker Working Group, eventually comprising more than two dozen companies—from Afilias to VeriSign—and Internet registrars, universities and government agencies, including the FBI and the Homeland Security Department.
“I have never seen people come together like that before,” Turner said. “I think it probably is a model we are going to have to adopt going forward.”
DHS is looking at lessons learned through the working group as a way to strengthen the public/private partnerships needed to secure our critical infrastructure.
Conficker, also known by a variety of names including Downup and Downandup, spurred this response in part because noisy, high-profile worms were thought to be things of the past, and it caught the Internet off guard by spreading so quickly. It also used advanced techniques to spread and communicate, including the Domain Name System, encrypted peer-to-peer communications and auto-run capabilities. “This was well thought out and fairly well put together,” Turner said.
Working group members formed subgroups to cooperate on separate parts of the challenge. Symantec and Kaspersky Lab, for instance, worked on reverse-engineering the code and were able to break a domain-generation algorithm to obtain a list of names that would be used for command and control sites. That allowed names to be preemptively registered with registrars, reducing the worm’s options for communication.
Despite the working group’s accomplishments, success has been incomplete. “It’s still out there” on an estimated 5.5 million infected computers at last count, Turner said. “Nobody knew what its purpose was, and we still don’t. With all the attention it generated, I’m not surprised they went quiet. They’re lying in the weeds.”
In the end, “we mitigated the threat to some degree” but did not completely solve the problem, he said.
Still, the working group experience was an eye-opener for the public and private Internet community, and the lessons learned from it offer some guidance for future response:
- Vigilance. “We have a tendency to think that something won’t happen again,” Turner said. But if a particular threat does not repeat itself, it eventually will be replaced with something newer and perhaps worse, and the community must keep its guard up, he warned.
- Cooperation. “Everybody played nice,” he said. When faced with a global issue, a lot can be accomplished by putting aside the urge to compete and working for the common good, he added.
- Teamwork. No one organization can solve an entire problem. There are many areas of detection, monitoring, analysis and response that have to be integrated. “Everyone has to come together,” each contributing his own bit of expertise, Turner said.
Working together is not necessarily any easier in cyberspace than it is in the schoolyard or the typical office. “It was trying at times,” Turner said. But at the end of the day, the effort made a difference.
William Jackson is freelance writer and the author of the CyberEye blog.