Over the past two months the Internet has faced yet another threat to its security and one that directly involves the Domain Name System.
The Conflicker/Downadup worm infects computers running Windows operating systems variants. The infected computers can be remotely controlled (i.e. forming a botnet) and the infection propagates through a number of different routes. The worm has been estimated as infecting as many as 10 million hosts and data from the security community indicates the number is at least 1.5 million. One mechanism the worm’s code uses to enable control is to download commands by accessing specific date-based domain names.
In mid-January, security community researchers began to understand which future domain names that the botnet would seek to utilize. These researchers sought cooperation from these registries to protect the names that would potentially be utilized. ICANN has worked with the registries, the security researcher community and Microsoft to share information, discuss specific mitigation steps and reach out globally across all involved parties to block the spread of the worm and formation of a massive botnet. This type of collaborative response is a model for dealing with distributed, evolving threats to the Internet’s security and resiliency.
We believe that malicious code using the DNS to enable propagation of worms and establishment of large botnets is likely to continue, even increase, in the short term. We are continuing our collaboration in response to the Conflicker/Downadup worm/botnet. DNS registries, the security community, and ICANN staff have agreed to initiate a working group to establish how ICANN can enable timely and effective responses to such worm/botnet situations that involve abuse of the DNS and threaten Internet security and resiliency.
ICANN Chief Internet Security Advisor