Conflicker, DNS Security and what ICANN is doing about it

by Greg Rattray on February 14, 2009

Over the past two months the Internet has faced yet another threat to its security and one that directly involves the Domain Name System.

The Conflicker/Downadup worm infects computers running Windows operating systems variants. The infected computers can be remotely controlled (i.e. forming a botnet) and the infection propagates through a number of different routes. The worm has been estimated as infecting as many as 10 million hosts and data from the security community indicates the number is at least 1.5 million. One mechanism the worm’s code uses to enable control is to download commands by accessing specific date-based domain names.

In mid-January, security community researchers began to understand which future domain names that the botnet would seek to utilize. These researchers sought cooperation from these registries to protect the names that would potentially be utilized. ICANN has worked with the registries, the security researcher community and Microsoft to share information, discuss specific mitigation steps and reach out globally across all involved parties to block the spread of the worm and formation of a massive botnet. This type of collaborative response is a model for dealing with distributed, evolving threats to the Internet’s security and resiliency.

We believe that malicious code using the DNS to enable propagation of worms and establishment of large botnets is likely to continue, even increase, in the short term. We are continuing our collaboration in response to the Conflicker/Downadup worm/botnet. DNS registries, the security community, and ICANN staff have agreed to initiate a working group to establish how ICANN can enable timely and effective responses to such worm/botnet situations that involve abuse of the DNS and threaten Internet security and resiliency.

Greg Rattray

ICANN Chief Internet Security Advisor

{ 1 comment… read it below or add one }

Jordan 03.31.09 at 7:54 pm

This ‘worm’ is going to block access to “”, and other anti-virus sites, so I recommend running anti-virus software 24/7. The virus has supposedly been downloaded on millions of systems, and will be activated on April 1st. Please visit the links below to protect you and whoever else may be on your network. Disable file sharing, enable your firewall, and maybe even shutdown your system.

Info about the threat:

Worm removal software:

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image