conficker update john crain. what is conficker? an internet worm malicious code that is...
TRANSCRIPT
![Page 1: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/1.jpg)
Conficker Update
John Crain
![Page 2: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/2.jpg)
What is Conficker?
• An Internet worm
Malicious code that is self-replicating and distributed over a network
• A blended threat
Uses various methods to spread the infection (network file shares, map drives removable media)
• A Dynamic Link Library
Conficker is not an executable but “additional code” that an executable already on a computer must load
![Page 3: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/3.jpg)
What is the Conficker botnet?
• An army that can be directed at will by rendezvous points to support a wide range of malicious, criminal or terrorist activities for as long as the computer remains infected and as long as the bots can remotely communicate with the rendezvous point(s)
![Page 4: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/4.jpg)
Infections?
Source:http://www.confickerworkinggroup.org
![Page 5: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/5.jpg)
CcTLDs used by conficker
![Page 6: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/6.jpg)
Is conficker still active?Despite best efforts infected machines still number in the many millions!!
Could DNS still be used as a rendevouz?Yes, however peer-to-peer and other
mechanisms are being used for updates.
Should we still block and “sinkhole”
Yes, at a minimum the sink-holing gives those attempting to tackle conficker insight into the infection and helps with ongoing clean up.
![Page 7: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/7.jpg)
Global DNSCERT
Business case forcollaboration in security
![Page 8: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/8.jpg)
Background
• Growing risks to DNS security and resiliencyEmergence of Conficker.Growing number of domain hijacking cases
• Community calls for systemic DNS security planning and response
• ICANN commitments under Affirmation of Commitments
• Initiatives called for in ICANN 2010-2013 Strategic Plan
![Page 9: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/9.jpg)
Objectives of threats to DNS
• Politically-motivated disruption of DNS
• Desire for financial gain
• Demonstration of technical superiority
• Gratuitous defacement or damageSource: 2009 Information Technology Sector Baseline Risk Assessment, US Dept of Homeland Security
![Page 10: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/10.jpg)
Potential impacts
• Long lasting damage to “Trust” in system
• Significant and lasting economic harm
• Is the Internet as we know it at Risk from malicious behavior?
![Page 11: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/11.jpg)
Lessons learned
• Conficker (’08- )
DNS played a role in slowing Conficker
Complex interactions with DNS community
Resource-intensive response activity
• Conficker WG noted need for a dedicated incident response capability
![Page 12: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/12.jpg)
Lessons learned
• Protocol vulnerability (’08)
Fast response, but
Predicated on ability to
find “key people”
• A coordination center would have improved situational awareness
Diagram of cache poisoning attack
![Page 13: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/13.jpg)
Lessons learned
• Avalanche (’08- )
Targets financial sector
Exploits the limited resources of registrars
Trend continues upward
• Complex coordination requires dedicated team
![Page 14: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/14.jpg)
http://www.icann.org/en/topics/ssr/dns-cert-business-
case-10feb10-en.pdf
Maybe a DNS-CERT?
![Page 15: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/15.jpg)
Mission of DNS CERT
“Ensure DNS operators and supporting organizations have a security coordina-tion center with sufficient expertise and resources to enable timely and efficient response to threats to the security, stability and resiliency of the DNS”
![Page 16: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/16.jpg)
Goals
• Validate need for standing collaborative response capability to address systemic threats/risks
Full-time/global; coordinate existing capabilities; serve all stakeholders especially less resourced operators
• Operational focus determined in engagement with stakeholders and leveraging existing efforts
Fostering situational awareness; incident response assistance/coordination;
![Page 17: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/17.jpg)
Stakeholders by role
![Page 18: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/18.jpg)
Participation and feedback
• DNS CERT must respond to constituency needs
• Participation by key constituents
Adds capability to CERT
Extends its geographic reach
Helps keep focus on constituency needs
![Page 19: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/19.jpg)
Resource requirements
• $4M initial annual budget
• 12 technical staff(3 technical resources x 4 global regions)
• 3 overhead staff(covering legal, administration & finance)
• Operations support, travel and facilities
![Page 20: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/20.jpg)
Open questions include:
• Where should it be housed?
• What is best model?
• How should it be funded?
• Etc. etc.
![Page 21: Conficker Update John Crain. What is Conficker? An Internet worm Malicious code that is self-replicating and distributed over a network A blended threat](https://reader035.vdocument.in/reader035/viewer/2022062407/56649f495503460f94c6af8e/html5/thumbnails/21.jpg)
Way Forward
• This is a “proposal” we need feedback!
• Seek community feedback
Session scheduled for Nairobi meeting
Email [email protected] with comments