The inability to attribute Conficker to an individual or group has been named as a key failure of the effort to combat the worm and eliminate the threat.
Calling Conficker ‘one of, if not, the single largest cyber threats in recent memory', the Conficker Working Group (CWG) has published a ‘Lessons Learned' document looking at the history of the botnet, its variants and the action steps taken against it.
It said that it saw its biggest success as preventing the author of Conficker from gaining control of the botnet, while its biggest failure was the inability to remediate infected computers and eliminate the threat of the botnet.
The report said that its main reasons for success was its ability to obtain cooperation from the Internet Corporation for Assigned Names and Numbers (ICANN) and top-level domains, as without these the group would have been able to do little to scale the registration of international domains to block Conficker C from updating.
It said: “Processes are now in place that may make future coordination efforts easier, and many countries are reviewing domestic regulations, which would hopefully streamline their internal processes for dealing with such threats.”
In regard to its biggest failure, it said that while remediation efforts did take place, millions of the A/B variations of Conficker remain on infected computers. Members of the group recommended a greater focus on remediation from the start and more coordinated communication with ISPs. However, some indicated that total remediation may not have been a realistic goal.
It also pointed to a lack of cooperation with government, ISPs and law enforcement. It said that private sector collaboration, public-private information sharing, support to law enforcement, resources and legislative reform are among the many urgent requirements if the cyber security community is to stay ahead of impending threats.
In terms of a strategy to battle Conficker, the group encouraged a focus on the larger overall threat environment and to develop a strategy for dealing with that global issue, rather than a ‘whack-a-mole' approach of battling one incident after another. It also encouraged the establishment of a mindset of a ‘long term battle' at the outset to help manage burn-out and fatigue.
It said: “Conficker is among the largest botnets in the past five years. It combined a number of the best tricks and traps within malware. Experts felt Conficker was dangerous because it was an open-ended tool that could be used for a variety of purposes, without signalling the author's true motivation.
“The ability of Conficker's author to rapidly update and distribute new versions of code to adapt to changing security efforts made it unique and more difficult to contain. When the GeoIP system was renamed and moved, harming Conficker A's ability to spread, Conficker B was released. When the Conficker Working Group announced it would block domains, the author began incorporating P2P technology and vastly expanded the domains that could be registered, making the defenders' job significantly more difficult.”
In terms of the future of the CWG, when asked, most members believe it would remain intact and focused on Conficker as long as that threat remains. They said that it remains important to block the A/B version from receiving instructions or updates, as with millions of computers still infected, it could be taken over by the author again should the effort to block the domains wane.
The group said that it does not plan to take on additional tasks or attempt to counter new threats beyond Conficker.
Rodney Joffe, senior VP and senior technologist at Neustar and a director of the CWG, said: “The CWG was an overwhelming success in demonstrating how the global community, public and private, can (and should in the future) come together to combat common threats.
“However it is also a clear example of how this ‘best of breed' cooperation is generally powerless to stop determined attacks. Conficker remains undefeated and no arrests have yet been made. The operation was a complete success; unfortunately the patient died.”