Conficker has been a dual edge sword to the industry. On one hand, it a nasty “weapons grade” hijacking malware with nefarious consequences – ranging from a platform for crime to a threat Global Telecom’s, SCADA, and other critical infrastructure. On the other hand, it is an example of what cyber-civic society can do when cyber-citizens band together to tackle a major operational security problem. January 2010 will be the one year mark of the Conficker Working Group. In that one year, Conficker infections continue to grow (see graph). This despite the fact that of all the remediation, patches, anti-virus signatures, and other techniques to fix the Conficker problem.
The inability to impact the growth of Conficker frustrates the volunteers battling Conficker. It is a publicly visible demonstration of how the some feel we’re loosing the cyber-security battle. It is also a good opportunity to try some new remediation techniques.
Shadowserver.org was asked by individual members of the Conficker Working Group to “re-format” some of the data it collects on Conficker. Our hypotheses was that if we point out specific hot spots of infect based on BGP Autonomous System Numbers (ASNs) we would get more focused attention. ASNs are equivalent to “National Boarders” on the Internet. They are used to describe the difference between Service Provider A and Service Provider B.
Shadowserver.org graciously responded and built a brand new report which lists the “Fortunate 500” ASNs with the most Conficker infections. The hope is that this will be a tool that ASN owners, their customers, and interested parties can use this data to measure their impact to remediation Conficker within their ASNs.
Shadowserver.org is not giving out the list of IP addresses. Those will only go to the ASN owners. That report can be sent to a specific E-mail address the ASN owners select (for example the E-mail alias of a remediation task force designated to track down and remediate all the Conficker infections). Add to this is Shadowserver’s break through – providing graphs per ASN. This allows an ASN’s “Conficker Remediation Task Force” to visible track their progress and report the results of their work to their leadership. This combination of public visibility, constituent empowerment, safeguarding the specific IP addresses, providing details daily reports of the infected computers in the ASN, and graphs which visualize progress is hoped to make a difference.
How do we know this will work? Back in 2003 , Hank Nussbacher and I presented the results of a years effort doing something similar with the talk CIDR Police – Please Pull Over and Show Us Your BGP Announcements (NANOG 27). We use the weekly CIDR Report to contact each of the top 20 on the list of ASNs who were contributing the most to the growth of the global route table. The results were simple. Action would only result if someone knocked on the ASN’s door and pointed out the problem. If no one knocked, no action. The report by itself did not influence the leadership in the ASN to take action. In fact, the leadership in the ASN (people who run Service Providers) never see the weekly CIDR Report. They do see the bill from equipment vendors when they have to upgrade their routers to handle larger and larger Global Routing Tables. But there was no correlation between that CAPEX and the ability to mitigate when that CAPEX is spent by putting pressure on their peers to pay more attention to their BGP configurations. This disconnect between the “geeks” working the BGP configs and the ASN leadership who sees the cost impact was what I see was a major oversight the CIDR Police experiment.
Shadowserver’s work is hopeful because it takes “accountable leadership” into consideration . The graphs, daily reports, and tools all provide an ASN Team to work the problem while expressing the issue to their leadership. At the same time, it presents publicly visualizations which will help the SP’s customers know if they are connected to a network which has Conficker growing or Conficker shrinking.
Now it is time to spread the word, build ASN “Conficker Remediation Task Forces,” subscribe to Shadowserver’s “daily Conficker report,” and get to work.