ABSTRACT
Conficker [26] is the most recent widespread, well-known worm/bot. According to several reports [16, 28], it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large scale, including about 25 millions victims, and study various interesting aspects about this state-of-the-art malware. By analyzing Conficker, we intend to understand current and new trends in malware propagation, which could be very helpful in predicting future malware trends and providing insights for future malware defense. We observe that Conficker has some very different victim distribution patterns compared to many previous generation worms/botnets, suggesting that new malware spreading models and defense strategies are likely needed. Furthermore, we intend to determine how well a reputation-based blacklisting approach can perform when faced with new malware threats such as Conficker. We cross-check several DNS blacklists and IP/AS reputation data from Dshield [6] and FIRE [7], and our evaluation shows that unlike a previous study [18] which shows that a blacklist-based approach can detect most bots, these reputation-based approaches did relatively poorly for Conficker. This raised the question, how can we improve and complement existing reputation-based techniques to prepare for future malware defense? Finally, we look into some insights for defenders. We show that neighborhood watch is a surprisingly effective approach in the Conficker case. This suggests that security alert sharing/correlation (particularly among neighborhood networks) could be a promising approach and play a more important role for future malware defense.
- M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In Proceedings of USENIX Security of Symposium, Aug. 2010. Google ScholarDigital Library
- CAIDA. Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. http://www.caida.org/research/security/ms08-067/conficker.xml.Google Scholar
- E. Chien. Downadup: Attempts at Smart Network Scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning.Google Scholar
- DHIELD. All suspicious Source IPs in DSHIELD. http://www.dshield.org/feeds/daily_sources.Google Scholar
- DNSBL. invaluement DNSBL (an anti-spam blacklist). http://dnsbl.invaluement.com/.Google Scholar
- DSHIELD. Cooperative Network Security Community. http://www.dshield.org/.Google Scholar
- FIRE. Finding Rogue Networks. http://maliciousnetworks.org/.Google Scholar
- Fortune. Fortune 100 companies. http://money.cnn.com/magazines/fortune/.Google Scholar
- U. G. and C. I. Oxford Dictionary of Statistics (2nd edition). Oxford University Press, 2006.Google Scholar
- T. Holz, C. Gorecki, and F. Freiling. Detection and Mitigation of Fast-Flux Service Networks. In Proceedings of NDSS Symposium, Feb. 2008.Google Scholar
- N. Ianelli and A. Hackworth. Botnets as a Vehicle for Online Crime. 2005.Google Scholar
- S. Krishnan and Y. Kim. Passive identification of Conficker nodes on the Internet. In University of Minnesota - Technical Document, 2009.Google Scholar
- J. Kristoff. Experiences with Conficker C Sinkhole Operation and Analysis. In Proceedings of Australian Computer Emergency Response Team Conference, May 2009.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. In Proceedings of IEEE Security and Privacy, May 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, and K. Calffy. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of ACM SIGCOMM Workshop on Internet Measurement, Nov. 2002. Google ScholarDigital Library
- B. N. Online. Clock ticking on worm code. http://news.bbc.co.uk/2/hi/technology/7832652.stm.Google Scholar
- P. Porras, H. Saidi, and V. Yegneswaran. A Foray into Conficker's Logic and Rendezvous Points. In Proceedings of USENIX LEET, Apr. 2009. Google ScholarDigital Library
- A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. In Proceedings of ACM SIGCOMM, Sep. 2006. Google ScholarDigital Library
- C. Shannon and D. Moore. The Spread of the Witty Worm. In Proceedings of IEEE Security and Privacy, May 2004. Google ScholarDigital Library
- SORBS. Fighting spam by finding and listing Exploitable Servers. http://www.au.sorbs.net/.Google Scholar
- SPAMHAUS. Spamcop.net. http://www.spamcop.net/.Google Scholar
- SPAMHAUS. The SPAMHAUS Project. http://www.spamhaus.org/.Google Scholar
- SRI-International. An analysis of Conficker C. http://mtc.sri.com/Conficker/addendumC/.Google Scholar
- B. Stock, M. E. Jan Goebel, F. C. Freiling, and T. Holz. Walowdac Analysis of a Peer-to-Peer Botnet. In Proceedings of European Conference on Computer Network Defense (EC2ND), Nov. 2009. Google ScholarDigital Library
- B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In Proceedings of ACM CCS, Nov. 2009. Google ScholarDigital Library
- M. S. Techcenter. Conficker worm. http://technet.microsoft.com/en-us/security/dd452420.aspx.Google Scholar
- Tmetric. Bandwidth Measurement Tool. http://mbacarella.blogspot.com/projects/tmetric/.Google Scholar
- UPI. Virus strikes 15 million PCs. http://www.upi.com/Top_News/2009/01/26/Virus-strikes-15-million-PCs/UPI-19421232924206/.Google Scholar
- Verisign. The Domain Name Industry Brief. http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/domain-name-report-sept09.pdf.Google Scholar
- D. Watson. Know Your Enemy: Containing Conficker. http://www.honeynet.org/papers/conficker.Google Scholar
- Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldzmidt, and T. Wobber. How Dynamic are IP Addresses? In Proceedings of ACM SIGCOMM, Aug. 2007. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigraphy, G. Hulte, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. In Proceedings of ACM SIGCOMM, Aug. 2008. Google ScholarDigital Library
Index Terms
- Conficker and beyond: a large-scale empirical study
Recommendations
A Large-Scale Empirical Study of Conficker
Conficker is the most recent widespread, well-known worm/bot. According to several reports, it has infected about 7 million to 15 million hosts and the victims are still increasing even now. In this paper, we analyze Conficker infections at a large ...
On the Trail of the Conficker Worm
The recent Conficker worm has garnered considerable attention by infecting millions of machines and having the potential to cause many problems.
Conficker: Lessons in Secure Software and System Design
The Conficker worm is one of the most sophisticated malware programs ever created. Each new version of the worm included additional methods of propagation, detection avoidance, and self-defense. This article examines useful practices employed by the ...
Comments