After one year Conficker botnet was front-page news over all worlds, U.S. Department of Homeland Security is preparing report searching the universal attempt to keep it in check. The report, to be available in month, shows how ad hoc group of safety researchers and Internet infrastructure providers banded together into organization they called Conficker Working Group. Its aim was to address what was at time world's severe cyber threat.

"We said, 'This was good example of private sector, worldwide, functioning together to try to solve cyber safety attack, so let's fund making of lessons-learned report to document what worked, what didn't work,'" said Douglas Maughan, program manager with Department of Homeland Security's Science & Technology Directorate. The report give template for future cyber-responses, security experts say. Conficker started spreading in November 2008, infecting PCs by range of means like attack exploiting known fault in MS Windows.

Security researchers examine malware recognize that botnet utilized algorithm to compute Internet domain where it search instructions every day. Working with Internet Corporation for Assigned Names and Numbers (ICANN) and domain name registrars, they started blocking these domains in advance, avoiding Conficker's creators from attaching to hacked PCs.

"Conficker truly was decisive event for safety community," said Rodney Joffe, senior technologist with Internet infrastructure service provider Neustar and a member of the working group. When he got a call Dec. 7 from Chris Davis, CEO of Ottawa-based security consultancy Defense Intelligence, Joffe suggested they use the same type of model to take down a new botnet, known as Mariposa. "Six weeks later there were actual arrests," Joffe said. "From our point of view, it's one of the best validations of the model."

"Anybody was there in worldwide Internet infrastructure was involved," he said. "They got players to table and make out working relationships." Group divided itself, with DNS, sinkhole, and malware analysis subgroups. For a while there public discussion of group's tactics, but that stopped when it became clear that criminals listening in. Though Working Group is no longer as active as it in early days, it meets for weekly conference calls, Joffe said. "There is ongoing effort to recognize people behind and attempt to find mechanism to help remediate it."

Conficker Working Group model must be improved further, said Rick Wesson, CEO of Support Intelligence and other member of group. "We as nation would be stronger if we had formalized, private sector group that did things like Conficker Working Group did."