FYI...Joint Effort at Conficker Disruption
12 February 2009 - "Today Microsoft
announced a cooperative effort that has been underway to actively disrupt and contain the Conficker worm outbreak. The Shadowserver Foundation is honored and pleased to be part of this effort
which is truly the first of its type
. This project brings together those organizations that can effect change at the domain level where the botnet traditionally anchors itself... If these domains can be identified, and have their DNS pointed to a friendly server instead of the C&C, you accomplish several good things. First, you've essentially crippled the botnet, and second you're now able to identify all the infected drones trying to connect to the C&C since they are now attempting connections to that friendly server. Shadowserver has employed various processes to identify the domain names, act as that friendly server, and enumerate the orphaned drones. We add this data to our freely distributed report process which notifies the appropriate network operators that there are infected machines on their network. In the case of Conficker/Downadup
, we've actually been watching this for some time, and playing the role of a 'friendly' server for over a month... We at Shadowserver are very hopeful that this effort is foundational, one that will gain traction and attention from those organizations that can make a difference. The issue now is truly global. The botnet scourge is monumental
. It requires worldwide coordination and cooperation among industry, government, and law enforcement. Working in silos and in isolation won't work any longer. As a non-profit, vendor-neutral organization, Shadowserver is committed to this effort and in working with other groups dedicated to improving the safety of the Internet..."
Feb. 12, 2009
02-12-2009 Symantec Security Intel Analysis Team
February 12, 2009 (Computerworld)
Third party information on conficker
Last Updated: 2009-02-13 06:45:53 UTC - "(This will be updated as more information becomes public)... Removal Instructions, Removal Tools..." etc.
February 13, 2009 - "Microsoft has announced that it has been working with various industry partners, Arbor Networks included, to thwart the use of the domain names generated by the Conficker worm to block the attacker from making updates to the worm. Sinkholes are being coordinated to identify infected hosts and to share the data with the necessary parties, as well.Analysis: This is an unprecedented move and should help keep the worm from growing into a larger problem. The worm continues to spread and the population has grown to as many as 12 million or more