Conficker Update

John Crain

What is Conficker?

• An Internet worm

Malicious code that is self-replicating and distributed over a network

• A blended threat

Uses various methods to spread the infection (network file shares, map drives removable media)

• A Dynamic Link Library

Conficker is not an executable but “additional code” that an executable already on a computer must load

What is the Conficker botnet?

• An army that can be directed at will by rendezvous points to support a wide range of malicious, criminal or terrorist activities for as long as the computer remains infected and as long as the bots can remotely communicate with the rendezvous point(s)

Infections?

Source:http://www.confickerworkinggroup.org

CcTLDs used by conficker

Is conficker still active?Despite best efforts infected machines still number in the many millions!!

Could DNS still be used as a rendevouz?Yes, however peer-to-peer and other

mechanisms are being used for updates.

Should we still block and “sinkhole”

Yes, at a minimum the sink-holing gives those attempting to tackle conficker insight into the infection and helps with ongoing clean up.

Global DNSCERT

Business case forcollaboration in security

Background

• Growing risks to DNS security and resiliencyEmergence of Conficker.Growing number of domain hijacking cases

• Community calls for systemic DNS security planning and response

• ICANN commitments under Affirmation of Commitments

• Initiatives called for in ICANN 2010-2013 Strategic Plan

Objectives of threats to DNS

• Politically-motivated disruption of DNS

• Desire for financial gain

• Demonstration of technical superiority

• Gratuitous defacement or damageSource: 2009 Information Technology Sector Baseline Risk Assessment, US Dept of Homeland Security

Potential impacts

• Long lasting damage to “Trust” in system

• Significant and lasting economic harm

• Is the Internet as we know it at Risk from malicious behavior?

Lessons learned

• Conficker (’08- )

DNS played a role in slowing Conficker

Complex interactions with DNS community

Resource-intensive response activity

• Conficker WG noted need for a dedicated incident response capability

Lessons learned

• Protocol vulnerability (’08)

Fast response, but

Predicated on ability to

find “key people”

• A coordination center would have improved situational awareness

Diagram of cache poisoning attack

Lessons learned

• Avalanche (’08- )

Targets financial sector

Exploits the limited resources of registrars

Trend continues upward

• Complex coordination requires dedicated team

http://www.icann.org/en/topics/ssr/dns-cert-business-

case-10feb10-en.pdf

Maybe a DNS-CERT?

Mission of DNS CERT

“Ensure DNS operators and supporting organizations have a security coordina-tion center with sufficient expertise and resources to enable timely and efficient response to threats to the security, stability and resiliency of the DNS”

Goals

• Validate need for standing collaborative response capability to address systemic threats/risks

Full-time/global; coordinate existing capabilities; serve all stakeholders especially less resourced operators

• Operational focus determined in engagement with stakeholders and leveraging existing efforts

Fostering situational awareness; incident response assistance/coordination;

Stakeholders by role

Participation and feedback

• DNS CERT must respond to constituency needs

• Participation by key constituents

Adds capability to CERT

Extends its geographic reach

Helps keep focus on constituency needs

Resource requirements

• $4M initial annual budget

• 12 technical staff(3 technical resources x 4 global regions)

• 3 overhead staff(covering legal, administration & finance)

• Operations support, travel and facilities

Open questions include:

• Where should it be housed?

• What is best model?

• How should it be funded?

• Etc. etc.

Way Forward

• This is a “proposal” we need feedback!

• Seek community feedback

Session scheduled for Nairobi meeting

Email yurie.ito@icann.org with comments