research-article

Conficker and beyond: a large-scale empirical study

Authors:
Seungwon Shin

Texas A&M University, College Station, Texas

Texas A&M University, College Station, Texas
View Profile

,
Guofei Gu

Texas A&M University, College Station, Texas

Texas A&M University, College Station, Texas
View Profile

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications ConferenceDecember 2010Pages 151–160https://doi.org/10.1145/1920261.1920285

Published:06 December 2010Publication History

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 151–160

ABSTRACT

Conficker [26] is the most recent widespread, well-known worm/bot. According to several reports [16, 28], it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, including about 25 millions victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield [6] and FIRE [7], and our evaluation shows that unlike a previous study [18] which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raised the question, how can we improve and complement existing reputation-based techniques to prepare for future malware defense? Finally, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the Conficker case. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.

References

M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In Proceedings of USENIX Security of Symposium, Aug. 2010. Google ScholarDigital Library
CAIDA. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. http://www.caida.org/research/security/ms08-067/conficker.xml.Google Scholar
E. Chien. Downadup: Attempts at Smart Network Scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning.Google Scholar
DHIELD. All suspicious Source IPs in DSHIELD. http://www.dshield.org/feeds/daily_sources.Google Scholar
DNSBL. invaluement DNSBL (an anti-spam blacklist). http://dnsbl.invaluement.com/.Google Scholar
DSHIELD. Cooperative Network Security Community. http://www.dshield.org/.Google Scholar
FIRE. Finding Rogue Networks. http://maliciousnetworks.org/.Google Scholar
Fortune. Fortune 100 companies. http://money.cnn.com/magazines/fortune/.Google Scholar
U. G. and C. I. Oxford Dictionary of Statistics (2nd edition). Oxford University Press, 2006.Google Scholar
T. Holz, C. Gorecki, and F. Freiling. Detection and Mitigation of Fast-Flux Service Networks. In Proceedings of NDSS Symposium, Feb. 2008.Google Scholar
N. Ianelli and A. Hackworth. Botnets as a Vehicle for Online Crime. 2005.Google Scholar
S. Krishnan and Y. Kim. Passive identification of Conficker nodes on the Internet. In University of Minnesota - Technical Document, 2009.Google Scholar
J. Kristoff. Experiences with Conficker C Sinkhole Operation and Analysis. In Proceedings of Australian Computer Emergency Response Team Conference, May 2009.Google Scholar
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. In Proceedings of IEEE Security and Privacy, May 2003. Google ScholarDigital Library
D. Moore, C. Shannon, and K. Calffy. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of ACM SIGCOMM Workshop on Internet Measurement, Nov. 2002. Google ScholarDigital Library
B. N. Online. Clock ticking on worm code. http://news.bbc.co.uk/2/hi/technology/7832652.stm.Google Scholar
P. Porras, H. Saidi, and V. Yegneswaran. A Foray into Conficker's Logic and Rendezvous Points. In Proceedings of USENIX LEET, Apr. 2009. Google ScholarDigital Library
A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proceedings of ACM SIGCOMM, Sep. 2006. Google ScholarDigital Library
C. Shannon and D. Moore. The Spread of the Witty Worm. In Proceedings of IEEE Security and Privacy, May 2004. Google ScholarDigital Library
SORBS. Fighting spam by finding and listing Exploitable Servers. http://www.au.sorbs.net/.Google Scholar
SPAMHAUS. Spamcop.net. http://www.spamcop.net/.Google Scholar
SPAMHAUS. The SPAMHAUS Project. http://www.spamhaus.org/.Google Scholar
SRI-International. An analysis of Conficker C. http://mtc.sri.com/Conficker/addendumC/.Google Scholar
B. Stock, M. E. Jan Goebel, F. C. Freiling, and T. Holz. Walowdac Analysis of a Peer-to-Peer Botnet. In Proceedings of European Conference on Computer Network Defense (EC2ND), Nov. 2009. Google ScholarDigital Library
B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In Proceedings of ACM CCS, Nov. 2009. Google ScholarDigital Library
M. S. Techcenter. Conficker worm. http://technet.microsoft.com/en-us/security/dd452420.aspx.Google Scholar
Tmetric. Bandwidth Measurement Tool. http://mbacarella.blogspot.com/projects/tmetric/.Google Scholar
UPI. Virus strikes 15 million PCs. http://www.upi.com/Top_News/2009/01/26/Virus-strikes-15-million-PCs/UPI-19421232924206/.Google Scholar
Verisign. The Domain Name Industry Brief. http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/domain-name-report-sept09.pdf.Google Scholar
D. Watson. Know Your Enemy: Containing Conficker. http://www.honeynet.org/papers/conficker.Google Scholar
Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldzmidt, and T. Wobber. How Dynamic are IP Addresses? In Proceedings of ACM SIGCOMM, Aug. 2007. Google ScholarDigital Library
Y. Xie, F. Yu, K. Achan, R. Panigraphy, G. Hulte, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. In Proceedings of ACM SIGCOMM, Aug. 2008. Google ScholarDigital Library

Index Terms

Conficker and beyond: a large-scale empirical study

Recommendations

A Large-Scale Empirical Study of Conficker

Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large ...
Read More
On the Trail of the Conficker Worm

The recent Conficker worm has garnered considerable attention by infecting millions of machines and having the potential to cause many problems.

Read More
Conficker: Lessons in Secure Software and System Design

The Conficker worm is one of the most sophisticated malware programs ever created. Each new version of the worm included additional methods of propagation, detection avoidance, and self-defense. This article examines useful practices employed by the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference
December 2010
419 pages
ISBN:9781450301336
DOI:10.1145/1920261
Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 December 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 62
  Total Citations
  View Citations
- 875
  Total Downloads
- Downloads (Last 12 months)61
- Downloads (Last 6 weeks)11
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Conficker and beyond: a large-scale empirical study

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

A Large-Scale Empirical Study of Conficker

On the Trail of the Conficker Worm

Conficker: Lessons in Secure Software and System Design