Some history first

In October 2008, I began following circumstances that culminated in the creation of the Conficker/Downadup worm. October is when the security community really started applying pressure on Microsoft. So much so that Microsoft released MS08-067 as an out-of-band hot fix. As you can imagine, that caught everyone’s attention, because Microsoft usually doesn’t hurry up any release.

So a cure became available; yet by December 2008, the Conficker worm started to infect a significant number of computers. I even mentioned in my first article about Conficker, “MS08-067: Not Updating Has Created a Monster Botnet” that security analysts were concerned that Conficker wasn’t anywhere near done recruiting bot members. I wonder if they could have even imagined the current extent of infestation.

Even with the release of a patch, debate is ongoing as to whether MS is to blame for too little/too late or whether it’s the users who aren’t updating. Initially, I suspected it was both. Now I consider the problem to be a lot more complicated than what I originally perceived. This is because my network admin friends are telling me that corporate networks are getting hit pretty hard with Conficker.

That tells me that system admins were having issues with an out-of-band patch. Fortunately, I determined that Conficker was zero day, so when the MS fix came out I spent all night testing and finally rolling it out. Still the network I’m responsible for is relatively small; I can only imagine what would be required for the more complicated enterprise networks, especially those with specialized applications.

I goofed

In that December article, I wrongly forecasted that all the infected computers were developing into a monster botnet. I corrected that mistake in my next article, “Botnets: New and Certainly Improved.” Mentioning that as of January 2009, the infected computers were still trying to reach command and control servers, so they weren’t organized into a botnet as of yet.

This wasn’t making any sense to the experts. Several million computers infected and doing nothing but phoning home looking for instructions. Hmmm.

What’s happening now?

Every day each computer infected by the Conficker worm generates a fresh list of approximately 200 random domain names. Then the infected computer attempts to contact servers advertising those domain names, expressly looking for new instructions. Well, it’s now February and still no command and control servers are apparent and that alone is baffling experts. What are the people who developed Conficker doing?

Who’s involved

As I mentioned earlier, the Conficker worm has gained the attention of many experts. It’s quite an impressive group, including security researchers from Microsoft, Arbor Networks, F-Secure Corp, Georgia Tech, Internet Storm Center, Symantec Corp, Verisign, and even ICANN. I’m sure I’ve left out several companies, but you get the picture. The group even has a name “Stop-Conficker Coalition” (not sure who coined the name).

Microsoft is 250,000 dollars serious

I just finished reading Ellen Messmer’s NetworkWorld article titled “Microsoft Announces $250,000 Conficker Worm Bounty,” and well the title says it all. According to Messmer, Microsoft said:

“The money will be paid for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.”

Let’s recap

There are millions (really millions) of computers around the world that are infected with the Conficker worm. Each one programmed to dutifully connect and receive instructions from specified command and control servers. As far as the experts know, no successful communications have taken place. This is either due to the Conficker controllers not playing their hand yet or because the Stop-Conficker Coalition is preventing it. Now that we’re up to speed, I’d like to move on to what concerns me.

My concern

I took a long time getting here, but the subject is complicated. The first inclination I got that something didn’t feel right was when Messmer quoted a Microsoft spokesperson:

“Conficker is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend. A large percentage of these domains are being blocked from being registered. Secondly, a number of the domains are being redirected toward “sinkhole” servers that are owned by trusted research partners around the world. Sinkhole servers allow researchers to observe the worm’s activity, according to Microsoft.”

The resolve of the Stop Conficker Coalition should be commended. Still, if I understand what’s happening, it doesn’t sit well with me. I realize that may sound counterintuitive being a total security nut, but please hear me out. I guess my concern is simple: Do private entities have the right to alter DNS query responses at their own discretion?

It seems that a precedent is being set here. Whether well intentioned or not, the term “mission creep” comes to mind. To me this is very similar to the ongoing and often-heated debate about network neutrality.

Opt in

On the surface it appears that OpenDNS and Kaspersky are using a different approach to fend off potential problems created by Conficker-infected computers. On Feb. 9, 2009, OpenDNS published the article “OpenDNS and Kaspersky Lab Team to Fight Massive Windows Conficker Worm, Give Network Admins Visibility into Malware Operating on Their Network.” The collaboration intends to prevent infected computers from communicating with command and control servers:

“Kaspersky Lab has taken steps to preemptively predict the domains that will be used in coming days by the virus, and is collaborating with OpenDNS by sharing the predicted domains. OpenDNS Botnet Protection then blocks the domains from resolving inside the OpenDNS service, for all OpenDNS users. Consequently, OpenDNS Botnet Protection prevents the virus from taking part in any further actions at the instruction of the virus author, and effectively prevents the virus from causing additional damage and alerts networking administrators of malware living on their network.”

I use OpenDNS and have referred it to countless people, especially when the Kaminsky bug became an issue. So you know how I feel about the company.

Still what OpenDNS and Kaspersky are attempting is kind of bothersome. Why you may ask? The new Conficker-fighting feature requires users to opt in, so what’s the problem. I’m not sure. I guess I’ll answer that with a question: How many people read every word of every EULA that they agree to?

Final thoughts

Until today, I’d thought only the bad guys were using DNS redirection as a method to divert our Web-site requests to Web sites of their choosing. Now it appears that the good guys are using DNS redirection as well, albeit with good intentions. So who decides when it’s OK to do this?

Still, I’m afraid I may be reading too much into this, which is why I’d really like to hear what you, the members, think.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!