With global effort, a new type of worm is slowed

Conficker worm provides a new kind of cat-and-mouse game for researchers.

With thousands of domains, however, this tactic can become time consuming and expensive. So with Conficker, the group has identified and locked up names using a new technique, called domain pre-registration and lock.

By dividing up the work of identifying and locking out Conficker's domains, the group has only kept the worm in check, not dealt it a fatal blow, said Andre DiMino, co-founder of The Shadowserver Foundation, a cybercrime watchdog group. "This is really the first key effort at this level that has the potential to make a substantial difference," he said. "We'd like to think we've had some effect in crippling it."

This is uncharted territory for ICANN, the group responsible for managing the Internet's address system. In the past, ICANN has been criticized for being slow to use its power to revoke accreditation from domain name registrars who have been widely used by criminals. But this time it's getting praise for relaxing rules that made it hard to lock down domains and for bringing together the group's participants.

"In this specific case they greased the wheels so that things would move quickly," said David Ulevitch, founder of OpenDNS. "I think they should be commended for that. ... It's one of the first times that ICANN has really done something positive."

The fact that such a diverse group of organizations are all working together is remarkable, said Rick Wesson, CEO of network security consultancy Support Intelligence. "That China and America cooperated to defeat a malicious activity on a global scale... that's serious. That's never happened," he said.

ICANN did not return calls seeking comment for this story and many of the participants in the Conficker effort, including Microsoft, Verisign and the China Internet Network Information Center (CNNIC) declined to be interviewed for this article.

Privately, some participants say that they do not want to draw attention to their individual efforts to combat what may well be an organized cybercrime group. Other say that because the effort is so new, it is still premature to discuss tactics.

Whatever the full story, the stakes are clearly high. Conficker has already been spotted on government and military networks and has been particularly virulent within corporate networks. One slip-up, and Conficker's creators could reprogram their network, giving the computers a new algorithm that would have to be cracked and giving them an opportunity to use these computers for nefarious purposes. "We have to be 100 percent accurate," Wesson said. "And the battle is a daily battle."

(Sumner Lemon in Singapore contributed to this report.)

Tags worm

Show Comments