Posted on Thursday, February 12th, 2009 | Bookmark on del.icio.us

The Conficker Cabal Announced

by Jose Nazario

Today Microsoft announced a broad industry alliance to combat Conficker, the savage Windows worm taking advantage of MS08-67. The Conficker group isn’t going to be formed, it’s been happening for a while now. This is just the public announcement (and also of a quarter million dollar bounty for whoever is behind it). Conficker has affected millions of PCs and spreads by the MS08-067 vuln over TCP/445, but also over USB keys and file shares. That’s what’s causing it to spread like wild fire in the enterprise. We are a part of this effort, together with groups like ICANN and many others.

One of the strategies being used by the group that has come together is to “soak up” the domain names being used by Conficker with pre-registration and lock. Here’s an example record for one of today’s domains:

Domain ID:D155329089-LROR
Domain Name:PWULRROG.ORG
Created On:10-Feb-2009 23:47:07 UTC
Last Updated On:11-Feb-2009 00:18:18 UTC
Expiration Date:10-Feb-2010 23:47:07 UTC
Sponsoring Registrar:PIR Special Projects (R1776-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:Special-001
Registrant Name:Conficker Cabal
Registrant Organization:Microsoft
Registrant Street1:One Microsoft Way
Registrant Street2:
Registrant Street3:
Registrant City:Redmond
Registrant State/Province:WA
Registrant Postal Code:98052
Registrant Country:US
Registrant Phone:+1.2023243000
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:cflicker@live.com

The worm seeks to update itself by using a long list of psuedo-randomly generated domain names to contact over HTTP and then grab new code. The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated – greatly facilitated – by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.

That sinkhole data is being shared within the “cabal” and shared with customers: ISPs and their customers, enterprises, CERT teams, and others. This, in turn, is being used to try and clean up hosts with tools and information sheets with clear instructions. This is truly a global operation. Here’s yesterday’s sinkhole stats by top countries:

conficker unique IPs by country, feb 11 2009

Just because the bot’s update mechanism appears to be cut off doesn’t mean that it’s no longer a problem. As noted above, the worm tries to propagate over file shares by brute forcing usernames and passwords. As it does so, it often locks people out of their accounts after X password login failures. IT admins everywhere are pretty busy with this.

This whole effort came together because Microsoft and others have been working with the research and security communities for a while now and lots of trust and relationships have been built. This facilitated such a large, cross-group collaboration to come together.

A few select links abount Conficker:

This entry was posted on Thursday, February 12th, 2009 at 3:04 pm and is filed under Arbor Networks, Attacks, Botnets, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

14 Responses | Add your own



Comment Post by: Tirana Magazine » Blog Archive » Microsoft offers $250,000 reward for Conficker arrest — February 12th, 2009 @ 6:23 pm EST  Reply

[...] It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames, which is “causing it to spread like wild fire in the enterprise,” Jose Nazario, manager of security research for Arbor Networks, wrote on a company blog. [...]

Comment Post by: Microsoft offers $250,000 for online bounty hunters | csmonitor.com — February 12th, 2009 @ 7:00 pm EST  Reply

[...] calling for some Web bounty hunters to step forward. The company said today that it will pay up to $250,000 for information that leads to the arrest and conviction of whomever is behind the worldwide [...]

Comment Post by: Richard Johnson — February 13th, 2009 @ 5:35 pm EST  Reply

The money offered as the bounty makes me smile.

It’s a strained smile, however, because MS -still- isn’t turning autorun off. In fact, it’s increasingly difficult to find all the sneaky places that MS developers have secreted autorun turn-back-on functionality.

What a waste of effort. By them, and by all of us, their victims.

Autorun and ActiveX enabled by default, and so very promiscuously, pretty much put the lie to MS’s much-ballyhooed security push.

Comment Post by: Allianz gegen Conficker hat sich formiert | seibotec — March 1st, 2009 @ 11:51 am EST  Reply

[...] Das Team versucht Domains zu registrieren die der Wurm angreifen wird bevor sie registriert werden können um seine Updatefähigkeit einzuschränken. Domains die registriert sind will das Team versuchen anzusprechen. Die News der sog. Conficker Cabal finden sich hier. [...]

Comment Post by: Conficker-Wurm stört legitime Domains im März « Computerhilfe u. Info Blog — March 1st, 2009 @ 5:16 pm EST  Reply

[...] ICANN und andere an der Conficker-Blockierung beteiligten Firmen – auch bekannt als das Conficker-Kabal – registrieren vorab die Domains, die der Schädling künftig sein Zuhause nennen wird. Der [...]

Comment Post by: Webmasterflatrate News » Blog Archive » Conficker-Wurm stört legitime Domains im März — March 2nd, 2009 @ 5:49 am EST  Reply

[...] ICANN und andere an der Conficker-Blockierung beteiligten Firmen – auch bekannt als das Conficker-Kabal – registrieren vorab die Domains, die der Schädling künftig sein Zuhause nennen wird. Der [...]

Comment Post by: Conficker worm to DDoS legitimate sites in March | Zero Day | ZDNet.com — March 3rd, 2009 @ 5:38 pm EST  Reply

[...] locations, but also, allowed security companies to pre-register them and lock them under the Conficker Cabal alliance with members such as Microsoft and the ICANN.  Moreover, perhaps the most pragmatic mitigation solution implemented on a large scale so far, [...]

Comment Post by: Conficker Worm to attack sites this March | Mundane Scribblings — March 4th, 2009 @ 11:54 am EST  Reply

[...] locations, but also, allowed security companies to pre-register them and lock them under the Conficker Cabal alliance with members such as Microsoft and the ICANN.  Moreover, perhaps the most pragmatic mitigation solution implemented on a large scale so far, [...]

Comment Post by: What is this Conflicken’ Thing?? « GEEKABLOG — April 1st, 2009 @ 8:28 am EST  Reply

[...] http://asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/ [...]

Comment Post by: Tycoons of the Day : The Worm That Ate the Web — April 1st, 2009 @ 4:11 pm EST  Reply

[...] The second flaw: Can’t the Internet’s authorities just make sure that no one registers the domain names that Conficker is checking, thereby preventing anyone from sending the worm its marching orders? Indeed, they can. In February, the worldwide team of computer security groups who’ve been fighting Conficker—the self-dubbed Conficker Cabal—announced that they’d worked out a way to determine the pre-generated list of domains that Conficker would connect to. Eventually the cabal got registrars around the world to prevent people from registering those sites. [...]

Comment Post by: Do you want more about Conficker? @ SpywaresSpot — April 1st, 2009 @ 4:52 pm EST  Reply

[...] Worm: Help Protect Windows from Conficker Protect yourself from the Conficker computer worm The Conficker Cabal Announced Taming Conficker, The Easy Way How-to, News botnet, Conficker, [...]

Comment Post by: Legendary Conficker, is it over? Or just a beginning? | The Blog Pirate — April 2nd, 2009 @ 4:12 pm EST  Reply

[...] is to be scared of. Particularly devious code provokes more earnest efforts to disarm it. However Microsoft puts shiny reward of $250,000 for information that leads to the arrest and conviction of whomever is behind the worldwide worm. [...]

Comment Post by: haha — May 9th, 2009 @ 3:58 pm EST  Reply

If you think that the conficker was another malicious program desinged to exploit your computer then you are wrong and you have been a victim of the planned and manipulated media content.\
conficker was basically a program designed by the underground hackers to expose that fact that there are many loopholes which are intelligently [may intentionally] placed in the operatins systems so that when THEY want they can take control of the entire world since the world only depends on the information technology and most of the IT is based on the windows operating systems.
It is a program which can be used to take control of all the computers that it has infected using the loopholes that are built in or hidden in by the microsoft into their operating systems so that they can do their dirty job whenever they want.
when they realised that someone already knows about this, the next thing was the cure, yes all 3 major security service providers, symantec, kaspersky and macafee came up with a cure. how amazing and suprising. It was almost like some one gave them the cure so that they can use it in theis operating systems.
Ni child is going to believe that microsoft was not aware of such loopholes in their operating systems.
i hope there are atleast some people who knows what i am saying.

Comment Post by: Jan-Piet Mens » Cheeky buggas — September 2nd, 2009 @ 2:13 pm EST  Reply

[...] fact, Conficker Cabal is an alliance to combat Conficker, the savage Windows [...]

Leave a Comment