Excellent article today about the Conficker Worm response team by William Jackson on GCN.com. According to the article, the Conficker Worm was the first network worm to show its face in about 4 years. Network worms have been thought to be somewhat extinct, but Conficker proved the experts wrong.
But it isn’t the fact that the experts were surprised by it, but the united response by experts from a range of the IT industry. More than two dozen companies came together and formed the Conficker Working Group. Groups from Internet registrars and universities worked side by side with the FBI and homeland security.
With such a group forming so quickly and effectively, people have taken notice. “I have never seen people come together like that before; I think it probably is a model we are going to have to adopt going forward.” , said Dean Turner, director of Symantec’s Global Intelligence Network.
The group analyzed the worm and was amazed by its advanced design. This worm had command and control servers, and used encrypted communication channels. The working group knew they had a challenge on their hands. The group separated into teams dissecting the problem and went to work:
Working group members formed subgroups to cooperate on separate parts of the challenge. Symantec and Kaspersky Lab, for instance, worked on reverse-engineering the code and were able to break a domain-generation algorithm to obtain a list of names that would be used for command and control sites. That allowed names to be preemptively registered with registrars, reducing the worm’s options for communication.
What is impressive about this is how public companies and government came together and worked so effectively. I agree with Mr. Jackson that this should be used as a model for future collaboration. Relationships should be formalized, so that once a problem strikes, the teams are already in place to respond.
For the full article see GCN.com.