by Mark Hachman
Microsoft, several security firms, and members of the academic community came together Thursday to try and develop a coordinated plan to halt the spread of the Conficker worm, also known as Downadup.
Microsoft announced a $250,000 reward for information leading to the arrest and conviction of the Conficker author or authors, available to anyone in any country, subject to local laws. Meanwhile, a group of security companies pledged to work together to disable domains targeted by Conficker.
Conficker's spread has been astonishing. The Houston, TX police department had to stop arresting some people because of a Conficker outbreak throughout municipal computer systems. And infections in French military computers were so bad that fighter planes were grounded.
The quarantining of Conficker will also be assisted by OpenDNS, a free service that adds anti-phishing and security protections to DNS. OpenDNS has blacklisted the domains predicted by Kaspersky to service Conficker, so even if a user gets infected somehow the infection will not likely spread from them, nor will their infected system be able to receive updates. Furthermore, OpenDNS will know that a client on the network has made a request indicative of Conficker infection, and therefore will notify the network administrator of the infection on the network.
"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group, said in a statement. "By combining our expertise with the broader community we can expand the boundaries of defense to better protect people worldwide."
Microsoft's partners in the effort include ICANN, Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.
"The best way to defeat potential botnets like Conficker/Downadup is by the security and domain name system communities working together, said Greg Rattray, chief Internet security advisor for ICANN, in a statement. "ICANN represents a community that's all about coordinating those kinds of efforts to keep the Internet globally secure and stable."
One of the methods that the partnership will seek to use will be to predict the domains that the Conficker worm will use, and lock them down beforehand.
The worm seeks to update itself by using a long list of psuedo-randomly generated domain names to contact over HTTP and then grab new code," Jose Nazario, a senior security researcher at Arbor Networks, wrote in a blog post. "The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in."
Additional reporting by Larry Seltzer.
(by Vincent Granville):
- The virus works with Internet Explorer, but no with Firefox (Firefox manages to prevent the popup windows from opening)
- Closing your browser when you don't use it, helps reduce the impact
- Re-booting your machine in the middle of the day, turning it off at night, also helps
- Working offline whenever you can, further reduces the risks
- Transferring critical data or files to a non infected machine or server is recommended
Some viruses will self-destroy on an infected machine if they "think" that they are under investigation. So any behavior that lets the virus believe that it is scrutinized can sometimes help. Of course the solution is to get rid of it, but in this case I've heard that anti-virus programs don't work. This virus will actually try to get you to buy anti-spyware from some vendors. It is also believed to be involved in click fraud