The initial variants of the worm, Conficker A/B, focused on potentially utilizing a limited number of domain names to control the infected computers. The affected registrars have collaborated to block the control of this variant of the worm over the past two months. A new variant, Conficker C, has been identified. This variant is more complex and presents increased mitigation challenges. Among these challenges, Conficker C seeks to use a wider range of domain names across the DNS, involving many more names in across a greater number of registries. Analysis indicates the Conficker C code will become active on April 1st.

ICANN is working with the security, vendor and DNS communities in an effort to proactively inform those involved registries who might be affected with specific information that will enable them to block the use of the DNS to control the infected computers. Through the outreach, the registry community is now in close contact with the Conficker working group and taking actions appropriate to their particular situations. An important note regarding April 1st: While the Conficker C code may become active on this date, the DNS and the Internet will likely not see a sudden wave of disruption or activity from the infected computers. Lack of activity on April 1st does not mean the millions of infected computers have been cleaned up or that efforts to mitigate the control of these computers can stop.

The cooperation to stop the spread of the Conficker worm and block control of the infected computers has become a major effort involving well over 100 organizations. The collaborative has conducted shared technical analysis and passed information resulting in practical, proactive steps to limit control and stop the spread of the worm. ICANN will continue its efforts with the security and DNS communities and sees this effort as a model for effective global response to situations that challenge the security and stability of the Internet and the DNS. We also want to encourage individuals and organizations who are concerned about removing the malicious code and to contribute to disabling Conficker to visit http://confickerworkinggroup.org/wiki/ for information regarding what can be done.

The Conflicker/Downadup worm infects computers running Windows operating systems variants. The infected computers can be remotely controlled (i.e. forming a botnet) and the infection propagates through a number of different routes. The worm has been estimated as infecting as many as 10 million hosts and data from the security community indicates the number is at least 1.5 million. One mechanism the worm’s code uses to enable control is to download commands by accessing specific date-based domain names.

In mid-January, security community researchers began to understand which future domain names that the botnet would seek to utilize. These researchers sought cooperation from these registries to protect the names that would potentially be utilized. ICANN has worked with the registries, the security researcher community and Microsoft to share information, discuss specific mitigation steps and reach out globally across all involved parties to block the spread of the worm and formation of a massive botnet. This type of collaborative response is a model for dealing with distributed, evolving threats to the Internet’s security and resiliency.

We believe that malicious code using the DNS to enable propagation of worms and establishment of large botnets is likely to continue, even increase, in the short term. We are continuing our collaboration in response to the Conflicker/Downadup worm/botnet. DNS registries, the security community, and ICANN staff have agreed to initiate a working group to establish how ICANN can enable timely and effective responses to such worm/botnet situations that involve abuse of the DNS and threaten Internet security and resiliency.

Greg Rattray

ICANN Chief Internet Security Advisor