Introduction

Conficker is a family of “worms” (malicious computer software programs). Its purpose is to infect computers and then spread itself to other computers without any human interaction. Currently, there are at least three known variants of Conficker: A, B and C.

Conficker makes use of the DNS as one of it's mechanisms to enable command and control mechanisms.

Specifically the variant known as confickerC has code that generates a list of domain names each day and attempts to use those names to contact C&C machines. Each day the infected host will generate 50000 unique names that sit under 116 registries in the Country Code TLD name space.

Each of the affected registry operators has been made aware of the issue and is taking action as deemed appropriate.

For a detailed analysis of confickerC please see http://mtc.sri.com/Conficker/addendumC/index.html

Conficker malware targets ccTLDs – immediate action is required

It has infected several million hosts and new versions continue to appear, launching a potential botnet that would be capable of inflicting widespread damage to a nation’s or industry’s technical infrastructure.

What is Conficker?

Conficker is a family of “worms” (malicious computer software programs). Its purpose is to infect computers and then spread itself to other computers without any human interaction. Currently, there are at least three known variants of Conficker: A, B and C/D.

What is the purpose of Conficker?

The purpose of Conficker is not entirely understood at this time. What is know is that Conficker has been created as a two-stage threat. The first stage of Conficker is responsible for the infection of as many computers as possible. It is this stage that has been deployed and running rampant on the Internet. The second stage has yet to materialize, although at least one update has been released that is spreading as fast as the original variants. The current Conficker coalition has managed to prevent the existing install base of variants A and B in 214 countries from being updated.

It is this unknown second stage that is the cause for the greatest concern in the security industry. The first version of Conficker attempted to download and install fraudulent antivirus software as a second stage, but no reports of a successful install have been seen at this time.

Given the large numbers of infected Conficker hosts and the lack of clear motive, this threat continues to pose a very large threat to Internet infrastructure. The actors behind Conficker have continued to produce new versions of code that include new mechanisms to retain control and spread infections to other machines. These control mechanisms allow the actors behind Conficker access to possibly control millions of infected machines at one time. At this time, the botnet has not yet been brought to fruition with variants A and B, due to the work of the current Conficker Coalition, but a botnet of this scale should be of great concern to any large company, nation, or infrastructure provider.

How many machines have been infected by Conficker?

While different methodologies for gauging the infection rate and size of Conficker exist, it is generally accepted that the number is in the millions of machines. We do not feel comfortable stating a definitive number due to the propensity of error for each of the methodologies that have used to date.

Why is Conficker important?

At this point in time, the malicious code is waiting for a second-stage binary to appear on one of the randomly generated domains each day. This binary file (based on the structure and logic in Conficker) is required to be digitally “signed” by the malicious parties responsible for Conficker. This insures that the attackers retain control over the entire pool of infected computers moving forward. Since the size of this threat been observed to have been in the millions of infected machines, representatives from various industries were unanimous in their belief that something needed to be done to block this second stage from appearing.

The first attempt at blocking this second stage from appearing took the form of a coalition of effected parties, including software companies, registry operators, security vendors, private security researchers, and academic groups. This group laid out a plan that was formulated by some of the effected registry operators, where the registry operators with ICANN’s participation would reserve or register the domains used by Conficker. The first versions of Conficker utilized a small set of domains generated from an even smaller set of top-level domains. This provided the coalition an opportunity to work with other TLD operators to build out procedures, policies, and some technologies to aid in mitigation of this threat.

The reason you are receiving this document is that a new version of Conficker has been released into the wild. This new version now utilizes randomly generated domain names in 116 different ccTLD’s. Your ccTLD is one of those that is affected by this threat, what we would like to do is provide your organization an opportunity to play a critical role in mitigation of this threat. The Conficker coalition is willing to work with all affected parties to aid them in mitigation of this threat by providing critical information and expertise.

This is where you and your organization can begin to play a role.

Why should your organization be involved in this?

As a global domain registry operator your organization is in a unique position to take action against Conficker. You can not only preserve and grow your brand name internationally, but the reputation of your host countries as well. The individuals behind this threat undoubtedly are relying on the probability that the chosen ccTLD’s do not have the motivation or resources to take action against the threat they have created. With your participation in this effort you will be able to publicly promote your involvement in the mitigation of this potentially disastrous threat. As this threat continues to evolve and grow in its severity every industry involved will play an important role in its mitigation. Our success depends on cooperation and collaboration across industries.

Of special importance and urgency will be the assessment of domains that are already registered, particularly if they are high-profile domains. This is more likely to be an issue for the larger ccTLDs than for the smaller ones due simply to the probability that 4,5 and 6 letter domains have been previously registered.

It is imperative that the ccTLD community provides a united response to this threat lest we become the target of additional threats. This urgency cannot be understated – for a further description, please see SRI’s description of Conficker (http://mtc.sri.com/Conficker).

Action is required immediately – there are only three weeks until April 1st, the projected date that the botmasters will regain control of the botnet – and we are asking that all registries act at least if not more than one week before the domain is to be registered.

What can your organization do to help mitigate this threat?

As a participant in this coalition you will be presented with several options to aid in the mitigation effort, some of which are outlined below.

The current community procedure is to register whatever domains are currently unregistered and point the nameservers to one of the Conficker sinkholes, so as to gain and keep control of the botnet as much as is possible.

Undoubtedly, some of these domains have already been registered. Domains that are already registered will need to be looked at to determine which of the various pidgeon holes they fit into:

  1. Registered by the botmaster(s)
  2. A legitimate registration
  3. Registered by a legitimate security researcher
  4. Registered by a script kiddie trying to gain control of part of the botnet (caveat: the binary file hosted on the domain must be signed by the people behind conficker).

Some things to take into consideration if a domain has already been registered:

  1. How long has the domain been registered for
  2. What other domains are registered by the registrant
  3. Are these other domains part of conficker as well
  4. Where does the domain point to (A records, NS records)

The action taken for the already-registered domains will be determined by who has the current registration.

A list of the domain names used by Conficker can be received by making a request from the mailing list. With these domains we ask that you take the following actions. More specific instructions on what to do with these lists can be gotten from the mailing list.

Register these domains, and utilize the attached DNS NS information to include in the registration information. This will allow the Conficker Coalition to track infected machines and providing reporting to infected parties.

You can reserve or remove the domains in this list from your TLD. This will effectively block anyone from being able to register these domains. The down side to this is that it will not provide any visibility into who is infected by this threat.

Media Policy

We ask that communication to the press on these issues not occur until a unified message from the entire coalition is produced. You can utilize the email support group that is listed below for any questions or comments related to this effort.

Support Group

An email list is available to support your organization work with the research and academic community while we develop a response long-term strategy to deal with global malware threats to DNS infrastructure.

Please sign up at http://shadowserver.org/mailman/listinfo/conficker-dns

Please use an email address associated with the registry to allow for smoother list registrations.

Domain List

To receive a list of domains for your registry make a request from the mailing list. The domains are arranged by their activation date. Due to world time zones and clock skew on machines infected with the malware more than one day can be active for longer than one day.