In an unprecedented international move, several Internet. antivirus and security-related organizations around the world have united to fight the ConfickerjDownadup outbreak that is already being described as one of the worst worm outbreaks in history. The key players in the alliance are Microsoft, ICANN (the Internet Corporation for Assigned Names and Numbers, which administers the world's top-level domain names and IP address allocation), and other corporations including VeriSign, AOL, Symantec, F-Secure, Arbor Networks, the Shadowserver Foundation, Georgia Tech, and several DNS registrars. By sharing predictions of which domains the worm will try to contact, the companies hope to be able to cut off its source of updates and instructions.

In addition, Microsoft has announced a reward of US$ 250.000 for any information that results in the arrest and conviction of those responsible for spreading the code, which the corporation has labeled a criminal attack. The reward is applicable to anyone around the world, since the worm has affected Internet users around the world.

OpenDNS and Kaspersky: Another alliance aimed at combating Confickr was announced by OpenDNS and Kaspersky, who believe that system administrators need to be more aware about how malware is spreading on their networks. OpenDNS is a web infrastructure service that processes and can optimize and filter web requests from individual computers or large corporations.

Using the same pseudo-random strings to predict the domain names that the worm will try to contact, t.he companies can attempt to block the worm from contacting its creators and spreading. Network administrators will also be alerted about machines on their networks which have become infected and have started contacting these domains.

Name: Conflicker continues to spread.jpg Views: 181 Size: 51.5 KB

About Conficker: The worm, also known as Downadup and Kido, has already infected over 50 million PCs worldwide, with over 1.1 million new infections detected in a single day in January by security vendor F-Secure. The original Conficker.A worm and its more virulent variant Conficker.B, spread through a critical vulnerability in Microsoft Windows that affects server services, now known as MS08-o67.

Infected computers contact 250 pseudorandomly generated domain names each day to check for updates and to download updates to itself. The attackers who spread the code know how the pseudo-random name generator works, and can register any domain name in anticipation of a day on which infected PCs will try to contact it.

Infected machines are unable to access the websites of most antivirus and security vendors, and cannot download updates for their security software. Windows Update is also blocked. The worm then attempts to modify system files and the Windows registry in order to propagate and ensure its components are running on each boot, before creating autorun.inf files in every shared folder and removable device.

The worm spreads through removable media by exploiting the Windows Autorun feature, and can also propagate across a local network by probing network shares and generating random IP addresses in the same range as the host. along with trying brute-force password cracks using a set of extremely common and weak passwords, which has the side effect of locking users out of their own PCs after mUltiple failed attempts.

Despite Microsoft releasing an unscheduled emergency patch for the vulnerability, it continues to infect millions of PCs. Symantec statistics show that the majority of infections are on Windows XP SP2/SP3 computers, but a huge percentage are on computers running XP SP1 or lower. These machines are almost certainly not using Windows Update, and are therefore unpatched.