Conficker: Mission Accomplished

"Complete Success" (Patient Dead)

Between 2008 and 2010 the Conficker Working Group (CWG), a heterogeneous association of researchers in computer security, studied and fought against the eponymous malicious software worm. When that process got under way, in 2009 the US Department of Homeland Security's Science and Technology Directorate set up and funded a project designed to preserve a permanent record of the "Lessons Learned" - the hope being that a template could be discerned for subsequent application in similar situations.

The Rendon Group conducted that research, working independently, interviewing members of the CWG and constructing the definitive account of their experience and findings. Yesterday they published their report (PDF).

Among the successes of the CWG, this document highlights the "unprecedented act of coordination and collaboration" between organizations and individuals around the world, in both the public and private sectors. Academic researchers, domain registry operators, AV vendors, ICANN, and the blue hats at Microsoft, joined in a "very successful" effort to pre-register and otherwise block domains from being used to update the malware. Essentially they cut off the worm's author from communicating with the botnet.

Remediation of infected computers is generally regarded as one of the most disappointing outcomes of the study, with millions of Conficker A and B infections still active.

Recommendations

The report's recommendations list the following urgent requirements "if the cyber security community is to stay ahead of impending threats":

• private sector collaboration
• public-private information sharing
• support to law enforcement
• resources
• legislative reform
  

There is also much necessary detail on the thorny subject of how to manage such a group effort as it grows. What should the essential collaborative infrastructure look like? There appears to have been a consensus that "volunteers" should continue to do most of the work, with nobody wishing to exceed the figure of 4 or 5 paid, full time staff.

The report concludes that "The group as a whole saw little participation from the government. One person put it as zero involvement, zero activity, zero knowledge." Most tellingly, one interviewee remarked, "People put in hours of unpaid work on nights and weekends, often at the expense of their own free time or time with their family."

Today, at least eight working groups modelled on the CWG are busy tackling other threats. Some of these groups' efforts have already led to arrests. How long will commercial enterprise, banks, and credit card companies, continue to depend on such unpaid, idealistic armies of volunteers, to protect their profits from growing gangs of well-resourced and professionally organised thieves?