Saturday, April 4, 2009

Domain-hoarding may have hamstrung Conficker


Prior to the April-1st update for the Conficker worm, security researchers scrambled to snatch up domains which the botnet's controllers were thought to be targeting.

In a follow-up posting on the company's security blog, F-Secure researcher Patrik Runald said that in the days leading up to the April 1st scheduled update, a group of security vendors and researchers working under the name "Conficker working group" worked to prevent Conficker's operators from registering targeted domains.

The Conficker.C revision was programmed to generate a list of domains which could then be contacted by infected machines to receive an update and possibly new attack instructions.

In an effort to thwart such an update, Runald said that researchers scrambled to prevent the registration of those domains, leaving controlled machines to 'phone home' to empty sites.

"What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm," wrote Runald.

"Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group."

However, Runald acknowledged other factors which also likely contributed to Conficker's no-show, such as the amount of media attention given to the date.

Runald also cautioned that the passing of the April 1st deadline does not mean the end of a threat from Conficker.

The botnet's controllers could still issue an update for the worm, and the peer-to-peer capabilities of Conficker could have already allowed for an update to begin circulation.

No comments:

Post a Comment