Conficker Update John Crain
Dec 13, 2015
Conficker Update
John Crain
What is Conficker?
• An Internet worm
Malicious code that is self-replicating and distributed over a network
• A blended threat
Uses various methods to spread the infection (network file shares, map drives removable media)
• A Dynamic Link Library
Conficker is not an executable but “additional code” that an executable already on a computer must load
What is the Conficker botnet?
• An army that can be directed at will by rendezvous points to support a wide range of malicious, criminal or terrorist activities for as long as the computer remains infected and as long as the bots can remotely communicate with the rendezvous point(s)
Infections?
Source:http://www.confickerworkinggroup.org
CcTLDs used by conficker
Is conficker still active?Despite best efforts infected machines still number in the many millions!!
Could DNS still be used as a rendevouz?Yes, however peer-to-peer and other
mechanisms are being used for updates.
Should we still block and “sinkhole”
Yes, at a minimum the sink-holing gives those attempting to tackle conficker insight into the infection and helps with ongoing clean up.
Global DNSCERT
Business case forcollaboration in security
Background
• Growing risks to DNS security and resiliencyEmergence of Conficker.Growing number of domain hijacking cases
• Community calls for systemic DNS security planning and response
• ICANN commitments under Affirmation of Commitments
• Initiatives called for in ICANN 2010-2013 Strategic Plan
Objectives of threats to DNS
• Politically-motivated disruption of DNS
• Desire for financial gain
• Demonstration of technical superiority
• Gratuitous defacement or damageSource: 2009 Information Technology Sector Baseline Risk Assessment, US Dept of Homeland Security
Potential impacts
• Long lasting damage to “Trust” in system
• Significant and lasting economic harm
• Is the Internet as we know it at Risk from malicious behavior?
Lessons learned
• Conficker (’08- )
DNS played a role in slowing Conficker
Complex interactions with DNS community
Resource-intensive response activity
• Conficker WG noted need for a dedicated incident response capability
Lessons learned
• Protocol vulnerability (’08)
Fast response, but
Predicated on ability to
find “key people”
• A coordination center would have improved situational awareness
Diagram of cache poisoning attack
Lessons learned
• Avalanche (’08- )
Targets financial sector
Exploits the limited resources of registrars
Trend continues upward
• Complex coordination requires dedicated team
http://www.icann.org/en/topics/ssr/dns-cert-business-
case-10feb10-en.pdf
Maybe a DNS-CERT?
Mission of DNS CERT
“Ensure DNS operators and supporting organizations have a security coordina-tion center with sufficient expertise and resources to enable timely and efficient response to threats to the security, stability and resiliency of the DNS”
Goals
• Validate need for standing collaborative response capability to address systemic threats/risks
Full-time/global; coordinate existing capabilities; serve all stakeholders especially less resourced operators
• Operational focus determined in engagement with stakeholders and leveraging existing efforts
Fostering situational awareness; incident response assistance/coordination;
Stakeholders by role
Participation and feedback
• DNS CERT must respond to constituency needs
• Participation by key constituents
Adds capability to CERT
Extends its geographic reach
Helps keep focus on constituency needs
Resource requirements
• $4M initial annual budget
• 12 technical staff(3 technical resources x 4 global regions)
• 3 overhead staff(covering legal, administration & finance)
• Operations support, travel and facilities
Open questions include:
• Where should it be housed?
• What is best model?
• How should it be funded?
• Etc. etc.
Way Forward
• This is a “proposal” we need feedback!
• Seek community feedback
Session scheduled for Nairobi meeting
Email [email protected] with comments