ICANN participation

In a report released today by the research group, TeleGeography, Executive Director, John Dinsdale says, "traditional telcos have been losing substantial market share while leading cablecos have succeeded in transforming their businesses to the point where almost 40% of their revenues now come from telecoms. Comcast, Time Warner Cable and Liberty Global all now feature in the top 15 ranking of broadband internet service providers, and telecoms remains an engine for growth for many cablecos around the world."

According the report, in the first half of 2009, broadband Internet and telephony services have generated over USD30 billion for cable companies around the world. "The sales were derived from a customer base that includes 82 million broadband internet subscribers and 49 million telephony subscribers. The revenue figure may seem relatively small compared to a global wireline services market of well over USD700 billion per year, but cablecos' telecoms revenues have grown 28% per annum since 2003, while the aggregate wireline market has grown at just 4% annually."

Follow CircleID on Twitter

More under: Access Providers, Broadband, IPTV, Telecom, VoIP

In a report released today by the research group, TeleGeography, Executive Director, John Dinsdale says, "traditional telcos have been losing substantial market share while leading cablecos have succeeded in transforming their businesses to the point where almost 40% of their revenues now come from telecoms. Comcast, Time Warner Cable and Liberty Global all now feature in the top 15 ranking of broadband internet service providers, and telecoms remains an engine for growth for many cablecos around the world."

According the report, in the first half of 2009, broadband Internet and telephony services have generated over USD30 billion for cable companies around the world. "The sales were derived from a customer base that includes 82 million broadband internet subscribers and 49 million telephony subscribers. The revenue figure may seem relatively small compared to a global wireline services market of well over USD700 billion per year, but cablecos' telecoms revenues have grown 28% per annum since 2003, while the aggregate wireline market has grown at just 4% annually."

Follow CircleID on Twitter

More under: Access Providers, Broadband, IPTV, Telecom, VoIP

In a report released today by the research group, TeleGeography, Executive Director, John Dinsdale says, "traditional telcos have been losing substantial market share while leading cablecos have succeeded in transforming their businesses to the point where almost 40% of their revenues now come from telecoms. Comcast, Time Warner Cable and Liberty Global all now feature in the top 15 ranking of broadband internet service providers, and telecoms remains an engine for growth for many cablecos around the world."

According the report, in the first half of 2009, broadband Internet and telephony services have generated over USD30 billion for cable companies around the world. "The sales were derived from a customer base that includes 82 million broadband internet subscribers and 49 million telephony subscribers. The revenue figure may seem relatively small compared to a global wireline services market of well over USD700 billion per year, but cablecos' telecoms revenues have grown 28% per annum since 2003, while the aggregate wireline market has grown at just 4% annually."

Follow CircleID on Twitter

More under: Access Providers, Broadband, IPTV, Telecom, VoIP

"What Will the Internet of the Future Look Like?," was the subject of a panel discussion held this week in Washington, DC, organized by the Information Technology & Innovation Foundation (ITIF). The discussion was aimed at examining pending Internet regulations in the U.S. and their impact on packet discrimination, traffic shaping, network management, and carrier business models. The panel, moderated by Robert Atkinson, included: Richard Bennett; Dr. David Farber; Charles Jackson; and Jon Peha. Further details as well as video and audio recording of the event is available here.

Follow CircleID on Twitter

More under: Access Providers, Broadband, Cloud Computing, Net Neutrality, P2P, Policy & Regulation, Telecom, Wireless

"What Will the Internet of the Future Look Like?," was the subject of a panel discussion held this week in Washington, DC, organized by the Information Technology & Innovation Foundation (ITIF). The discussion was aimed at examining pending Internet regulations in the U.S. and their impact on packet discrimination, traffic shaping, network management, and carrier business models. The panel, moderated by Robert Atkinson, included: Richard Bennett; Dr. David Farber; Charles Jackson; and Jon Peha. Further details as well as video and audio recording of the event is available here.

Follow CircleID on Twitter

More under: Access Providers, Broadband, Cloud Computing, Net Neutrality, P2P, Policy & Regulation, Telecom, Wireless

Briefing Note – Overall Summary of the Seoul Meeting

What was it?

ICANN’s 36th international public meeting was the last of three held annually to conduct policy development and outreach. It was hosted by ICANN (the Internet Corporation for Assigned Names and Numbers) and KISA(Korea Internet & Security Agency), a public agency that plays a major role in developing and researching the Internet in Korea.

The meeting was opened by three local dignatories: Mr. See Joong Choi, chairman of the Korea Communications Commission; Mr. Heung Kil Ko, Senator and Chairman of the Culture, Sports, and Tourism, Broadcasting and Communications Committee of the National Assembly; and Ms. Hee Jung Kim, president of KISA. 

Mr. See Joong Choi spoke about how the Internet was 40 years old, and the impact it has had in that time. He talked about how important IP addresses were as assets for the future and that they become a common resource for all. And he welcomed the introduction of IDNs as paving a “new way toward the future”.

Mr. Heung Kil Ko spoke about how Korea was a leader in the knowledge and information society, with 77.6 percent of its citizens online. He spoke of the importance of an efficiently and stably managed IP address system, as well as dealing with security threats such as hacking and phishing. The conference would hopefully lead to close ties between ICANN and Korea, he added.

Ms. Hee Jung Kim also heralded the introduction of IDNs, and welcomed a recent change in the agreement that ICANN has with the United States government as strengthening the autonomy of the IP addressing system.

There were 1,207 attendees to the conference from 111 different countries. The participants engaged in a wide range of discussions about the Internet’s domain name system and related issues.

Further information about the meeting, including presentations and transcripts, is available at http://sel.icann.org.

ICANN’s next international public meeting will take place in Nairobi, Kenya beginning on 7 March 2010.

What happened and what are the next steps?

Many meetings, workshops, public forums and informal discussions were held over seven days by the different stakeholders of the ICANN model:

• Business interests
• Civil society – – including the At-Large Summit of individual Internet user representatives
• Governments and government agencies
• Internet service providers
• Registrants
• Registrars
• Registries
• The technical community

Several key issues and themes evolved over the course of the meeting. They are summarized below.

Internationalized Domain Names (IDNs)

WHAT HAPPENED:  The most significant progress at the Seoul meeting was the approval of the “fast track”, which will see a limited number of internationalized domain names introduced to the Internet’s root possibly before the end of the year. To celebrate the occasion, a special evening reception was held on the Monday.

The fast track was formally approved by the Board on Friday, and although there remain concerns about their introduction, the Chairman noted it as an historic achievement and the vote was met with a standing ovation by the audience. Dozens of press articles from across the world also recognized the event.

For the first time, Internet users that speak something other than Western languages will be able to represent an entire Internet address in their own language.

NEXT STEPS: Applications to the fast track will open on 16 November.

MORE INFORMATION:

Official announcement of the approval: http://www.icann.org/en/announcements/announcement-30oct09-en.htm

Fast track webpage:
http://www.icann.org/en/topics/idn/fast-track/

New gTLDs

WHAT HAPPENED:  The third version of the Applicant Guidebook, as well as a range of other papers and explanatory memoranda, were produced for discussion at the meeting. A main session on the program was held on the Monday.

In particular, additional work was done on the “overarching issues” that need to be addressed before the introduction of new top-level domains (see below for more specific information).

ICANN staff revised the deadline to the opening application date for new gTLDs. Instead of giving a date, or quarter, the launch date will be dependent on community efforts to find solutions to the overarching issues. This approach prompted some in the community to argue that ICANN needed to demonstrate its determination to the process.

The result at the end of the week was a compromise solution, approved in a Board resolution, that asked staff to look into how to introduce a system for allowing “expressions of interest” to be shown in new gTLDs.  That process may allow for likely demand to be gauged and provide useful data to move some discussions from theoretical to pragmatic.

The Applicant Guidebook is out to public comment until 22 November.

Trademark Protection

The issue of how to protect trademarks in the event of a massive expansion in the domain name space continued to be an issue of much debate. A special session was held on the Wednesday to discuss the issue.

Following public comment on a report produced for the previous meeting in Sydney (the IRT report), possible solutions to the issue were reduced from four to two in a staff paper released prior to the meeting. Those solutions are: the creation of an IP Clearinghouse, or database of validated trademarks; and a Uniform Rapid Suspension process for use in clear-cut cases of trademark infringement.

That paper has been put to the GNSO for review.

Malicious Conduct

Two sessions on Monday afternoon addressed the concern that a large expansion of the domain name space will present new opportunities for abuse of the DNS, such as phishing, malware, the distribution of illegal content, and so on.

The broad concern is that with a large number of new companies entering the domain name market – both registries and registrars – that there will not be sufficient awareness of the problems of dealing with the criminal element online.

Summaries of the input received so far on this issue as well as a report by ICANN staff with proposed mitigation measures were posted for review prior to the meeting and a panel discussion dug further into both.

Security and Stability

A session on Wednesday focused on a report that review how the Internet’s current systems could scale to accommodate new Internet extensions, as well as other security related issues such as the introduction of a more secure form of the current system, called DNSSEC.

Broadly, there are some concerns that if a large number of extensions were introduced to the Internet at the same time, that the systems currently in place would not be able to cope.

There was some discussion about whether the report effectively recommended that new gTLDs would need to be delayed or spread out over time, although there was no agreement on that point and it remains for ICANN’s Advisory Committees in this area (RSSAC and SSAC) to review the report, public comments on the issue and report back to the community.

The root scaling report is out for public comment until 29 November.

Demand and Economic Analysis

Further economic analysis will be commissioned by ICANN in order to address outstanding concerns raised following review of the two previous economic studies.

NEXT STEPS: Feedback from the meeting, as well as comments sent to comment periods covering the third version of the Applicant Guidebook and papers related to the overarching issues, will be used to produce a fourth version of the guidebook for the Nairobi meeting in March.

Staff will review the possibility of introducing a system where potential gTLD applicants are able to provide “expressions of interest” in new Internet extensions in order to help the work move forward more effectively.

MORE INFORMATION:

The new gTLD program webpage contains the latest information as well as extensive background information on the whole process: http://www.icann.org/en/topics/new-gtld-program.htm"> http://www.icann.org/en/topics/new-gtld-program.htm

Root scaling study session:
http://sel.icann.org/node/7084">http://sel.icann.org/node/7084

Trademark Protection session: http://sel.icann.org/node/7116"> http://sel.icann.org/node/7116

Malicious Conduct and new gTLDs session:
http://sel.icann.org/node/7117

Malicious Conduct and Consumer Protection:
http://sel.icann.org/node/7288

Registry/registrar separation session:
http://sel.icann.org/node/7083

New gTLD update session:
http://sel.icann.org/node/6739

Strategic Planning

WHAT HAPPENED: ICANN held its first strategic planning session for 2010 was held on Wednesday morning.

The strategic plan is the process by which the organization’s priorities are mapped out, feedback is received from the community, and all the input is pulled into an Operating Plan, from which the organization’s budget is decided and allocated.

The session was more interactive than previous years with an online survey asking people to rank the importance of various areas of work e.g. implement new gTLDs, strengthen accountability, etc.

The plan recognized four main areas of focus for ICANN: preserve DNS stability and security; promote competition, trust and consumer choice; excel in IANA and other core operations; maintain ICANN’s long term role in the Internet eco-system. Within these, no less than 18 projects were highlighted as being of strategic priorities over the next three years.

NEXT STEPS: A draft plan will be drawn up based on community feedback and provided to the Board for review. The plan will then be put out to public comment in early December, with the second set of feedback used to draw up a revised plan to be put before the Board for approval in February 2010.

MORE INFORMATION:

Strategic plan session: http://sel.icann.org/node/7103

Online survey: http://www.surveymonkey.com/s.aspx?sm=Auve9xOKvl0YbWhg1NLKmA_3d_3d

Affirmation of Commitments

WHAT HAPPENED: The Joint Project Agreement (JPA) that ICANN had with the US government concluded in September and was replaced by an Affirmation of Commitments.

Under that Affirmation, ICANN becomes accountable to the global Internet community and a series of reviews are outlined that help ensure a high degree of public, global accountability.

A special session was held on the Wednesday afternoon where the Chairman and CEO took questions about the Affirmation and also outlined a path forward for carrying out the reviews.

The Affirmation was also given an hour-long slot at the public forum on Thursday.

NEXT STEPS: The Affirmation outlines a number of reviews. An initial draft of how these might work will be produced following community feedback and presented at the next ICANN meeting in Nairobi.

MORE INFORMATION:

The Affirmation of Commitments: http://www.icann.org/en/announcements/announcement-30sep09-en.htm#affirmation

Affirmation session: http://sel.icann.org/node/7481

GNSO Improvements

WHAT HAPPENED: After years of hard work, the new GNSO Council sat for the first time in Seoul. There are now two main stakeholder groups: Contracted (made up of registries and registrars), and Non-Contracted (made up of commercial and non-commercial interests).

A new chair was chosen by both houses – Chuck Gomes – and he will work alongside two new vice-chairs: Olga Cavalli (Non-Contracted) and Stephane van Gelder (Contracted).

MORE INFORMATION:

The GNSO Improvements webpage:
http://gnso.icann.org/en/improvements/

The GNSO Council session: http://sel.icann.org/node/6708"> http://sel.icann.org/node/6708

Independent Reviews

WHAT HAPPENED: A number of sessions that covered the review of specific parts of ICANN were held during the week.

Currently, two bodies are in the implementation phase: GNSO and ALAC. The GNSO process was largely finished with the sitting of the new Council; whereas the ALAC met the Board’s Structural Improvements Committee to discuss the implementation of its changes.

Meanwhile, going through the Working Group stage (i.e. just before implementation) there is: the Nominating Committee; Board; and SSAC.

Other reviews ongoing included: RSSAC (just at the start of the working group period); ccNSO (just about to head into the review process); and ASO (terms of reference for its review being drawn up).

NEXT STEPS: The reviews will progress through the clearly defined processes in each case. More sessions will be held in Nairobi to discuss and review that progress.

MORE INFORMATION:

ALAC and Board SIC session:
http://sel.icann.org/node/7183

Nominating Committee review session
http://sel.icann.org/node/7094

Board review session: http://sel.icann.org/node/7252"> http://sel.icann.org/node/7252

SSAC review session:
http://sel.icann.org/node/7098

Board members and Councillors

Since this was ICANN’s annual general meeting, there was turnaround in Board and Council members.

In particular, Roberto Gaetano, Steve Goldstein, Wendy Seltzer and Thomas Roessler left the Board. From ALAC: Jose Ovidio Salgueiro, Fatimata Seye Sylla, Vanda Scartezini, Nguyen Thu Hue, and Sivasubramanian Muthusamy all ended their terms. And from the GNSO: Tony Harris, Philip Sheppard, Greg Ruth, Tony Holmes, Ute Decker, Cyril Chua, Carlos Affonso Pereira de Souza, Maggie Mansourkia, Jon Nevett, and Steve Metalitz all left the Council.

Special mention was given to leaving GNSO chair Avri Doria and leaving NomCom chair Tricia Drakes.

Peter Dengate Thrush was re-elected as chair of the Board, and Dennis Jennings as vice-chair.

Board Resolutions

The full set of Board Resolutions at the public meeting on Friday can be found online at http://www.icann.org/en/minutes/resolutions-30oct09-en.htm.

A transcript of the meeting can be found at: http://sel.icann.org/meetings/seoul2009/transcript-board-meeting-30oct09-en.txt

And video recordings of proceedings can be found in two parts at:
http://icann.na3.acrobat.com/p77419459/ and
http://icann.na3.acrobat.com/p19863704/

Other Matters

Pictures of the conference can be found at: http://www.icann.org/photos/

The average handset has evolved from the humble voice-box, to the total media centre. As a result thousands of start-up companies are profiting out of the Telecom sector's advances, supplying the various add-ons which inevitably accompany any new wave of technology. Such innovations were used by the operators to supplement the pricey voice packages. However, the operators are now finding themselves in the hands of the ever-creative software/hardware companies and the changing consumer culture. iPhone appstore was the first to take advantage and make millions from the operators' customers, creating a financial redistribution within the Telecom industry. With the telecom giants left to maintain the costly infrastructure that supports this ever growing new-media industry, the outlook for today's communication service providers is set to get worse in a new 4G world where broadband is everywhere (LTE, WiMax, FTTX and cloud services). How can the giants sustain such costs and avoid being relegated to the sidelines as bit-pipe providers?

To answer this question visionaries such as Zhang Fan, CTO of China Unicom, Anil Tandan, CTO of Idea Cellular, Ravinder Jain, CIO of Aircel, Michael Kuehner, CEO of AXIATA Bangladesh and Mu Piao Shih, President of Chunghwa Telecom are all set to attend what is a closed meeting at the NGT APAC summit in Sentosa, to discuss a unified investment strategy to provide Long Term Evolution (LTE) across the existing 3G network. Such increased download speeds will allow the telecom industry to capitalize on the change in consumer habits and provide wider service offerings.

"Asia's innovative technologies have inspired the western world and with economic pressures alleviating, we are now looking to invest in 4G to capitalize on the 'Prosumer' market." Said a spokesman for the fifty strong consortium at the NGT APAC Summit

This most elite of delegations led by Kyle Whitehill, COO of Vodafone India, are set to discuss the rapid pace of communication, transforming from the one-to-one (direct) voice communication to the fast, informal & responsive, opinion and thought exchange we have today.

"Such a meeting has been a long time coming, large operators have been losing revenue as the communication market has diversified, network optimization should lend to them finding new revenue streams as the level of service can expand"—Nick York, NGT Summit Director Asia Pacific.

Such consumer & technology transformation has distorted the way 'Prosumer' consume their products & services, and interact with their mobile devices. The industry awaits to see if Asia's Top Telecom guns can decide on a unified approach to map revenue streams back to the operators.

Submitted by Emma Naylor, Press Officer, NG Online News

Follow CircleID on Twitter

More under: Access Providers, Mobile, Telecom, Wireless

The average handset has evolved from the humble voice-box, to the total media centre. As a result thousands of start-up companies are profiting out of the Telecom sector's advances, supplying the various add-ons which inevitably accompany any new wave of technology. Such innovations were used by the operators to supplement the pricey voice packages. However, the operators are now finding themselves in the hands of the ever-creative software/hardware companies and the changing consumer culture. iPhone appstore was the first to take advantage and make millions from the operators' customers, creating a financial redistribution within the Telecom industry. With the telecom giants left to maintain the costly infrastructure that supports this ever growing new-media industry, the outlook for today's communication service providers is set to get worse in a new 4G world where broadband is everywhere (LTE, WiMax, FTTX and cloud services). How can the giants sustain such costs and avoid being relegated to the sidelines as bit-pipe providers?

To answer this question visionaries such as Zhang Fan, CTO of China Unicom, Anil Tandan, CTO of Idea Cellular, Ravinder Jain, CIO of Aircel, Michael Kuehner, CEO of AXIATA Bangladesh and Mu Piao Shih, President of Chunghwa Telecom are all set to attend what is a closed meeting at the NGT APAC summit in Sentosa, to discuss a unified investment strategy to provide Long Term Evolution (LTE) across the existing 3G network. Such increased download speeds will allow the telecom industry to capitalize on the change in consumer habits and provide wider service offerings.

"Asia's innovative technologies have inspired the western world and with economic pressures alleviating, we are now looking to invest in 4G to capitalize on the 'Prosumer' market." Said a spokesman for the fifty strong consortium at the NGT APAC Summit

This most elite of delegations led by Kyle Whitehill, COO of Vodafone India, are set to discuss the rapid pace of communication, transforming from the one-to-one (direct) voice communication to the fast, informal & responsive, opinion and thought exchange we have today.

"Such a meeting has been a long time coming, large operators have been losing revenue as the communication market has diversified, network optimization should lend to them finding new revenue streams as the level of service can expand"—Nick York, NGT Summit Director Asia Pacific.

Such consumer & technology transformation has distorted the way 'Prosumer' consume their products & services, and interact with their mobile devices. The industry awaits to see if Asia's Top Telecom guns can decide on a unified approach to map revenue streams back to the operators.

Submitted by Emma Naylor, Press Officer, NG Online News

Follow CircleID on Twitter

More under: Access Providers, Mobile, Telecom, Wireless

On November 2, 2009, Microsoft released its seventh edition of the Security and Intelligence Report (SIR). The SIR provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows computers, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

The following is an excerpt from the SIR, pp 29-32, about the Conficker worm and the industry response that showed an incredible amount of collaboration across vendors.

* * *

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world's computer systems and data. ("Win32/Conficker Update," beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 "out of band" rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately "wormable" vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders' ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year's worth of Conficker domain names and proactively point them at the group's sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled "go packs" of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world's computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

* * *

The SIR contains other data on Conficker including how many machines were cleaned by the Microsoft Malicious Software Removal Tool and its comparison to other malware removed during the first half of 2009.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Malware, Security, Spam, Top-Level Domains

On November 2, 2009, Microsoft released its seventh edition of the Security and Intelligence Report (SIR). The SIR provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows computers, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

The following is an excerpt from the SIR, pp 29-32, about the Conficker worm and the industry response that showed an incredible amount of collaboration across vendors.

* * *

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world's computer systems and data. ("Win32/Conficker Update," beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 "out of band" rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately "wormable" vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders' ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year's worth of Conficker domain names and proactively point them at the group's sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled "go packs" of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world's computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

* * *

The SIR contains other data on Conficker including how many machines were cleaned by the Microsoft Malicious Software Removal Tool and its comparison to other malware removed during the first half of 2009.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Malware, Security, Spam, Top-Level Domains

On November 2, 2009, Microsoft released its seventh edition of the Security and Intelligence Report (SIR). The SIR provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows computers, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

The following is an excerpt from the SIR, pp 29-32, about the Conficker worm and the industry response that showed an incredible amount of collaboration across vendors.

* * *

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world's computer systems and data. ("Win32/Conficker Update," beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 "out of band" rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately "wormable" vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders' ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year's worth of Conficker domain names and proactively point them at the group's sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled "go packs" of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world's computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

* * *

The SIR contains other data on Conficker including how many machines were cleaned by the Microsoft Malicious Software Removal Tool and its comparison to other malware removed during the first half of 2009.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Malware, Security, Spam, Top-Level Domains

On November 2, 2009, Microsoft released its seventh edition of the Security and Intelligence Report (SIR). The SIR provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows computers, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

The following is an excerpt from the SIR, pp 29-32, about the Conficker worm and the industry response that showed an incredible amount of collaboration across vendors.

* * *

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world's computer systems and data. ("Win32/Conficker Update," beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 "out of band" rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately "wormable" vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders' ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

The Conficker Working Group Is Born

In January 2009, representatives from a number of security research companies and domain registrars, along with the anti-botnet Shadowserver Foundation, began discussing how best to implement a defensive Domain Name Service (DNS) strategy to handle domain registrations. To coordinate the significant amount of e-mail being generated by these discussions, the group established the CONFICKER e-mailing list on January 28, which drew a growing number of security researchers and members from law enforcement, academia, and industry, in addition to members representing each of the eight TLDs used by Conficker. Enlisting the support of the TLD operators would prove to be a vital step in containing the Conficker threat, enabling the group to block domain names more efficiently and at far less expense than would be possible through the commercial registration process.

By early February 2009, working group members had instituted a process for registering as many domain names as possible, before the Conficker operators could register them, and assigning them to IP addresses belonging to six sinkholes (server complexes designed to absorb and analyze malware traffic) operated by organizations belonging to the working group. Infected computers looking for command-and-control servers would contact the sinkholes instead, providing researchers with valuable telemetry for analyzing the spread of the worm. A number of Internet service providers (ISPs) were also able to use this telemetry data to identify infected computers.

Around the same time, the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for allocating IP addresses and managing the Internet domain name system, invited the group to deliver a presentation on its domain registration efforts to a meeting of the ICANN board of directors. The board expressed its support for the program and assigned two staffers to help coordinate it. Despite these efforts, the Conficker operators were still able to register some domains before the working group could get to them. To mitigate this, researchers at Kaspersky Lab, an anti-malware vendor headquartered in Russia, worked with OpenDNS, a free network resolution service used by many organizations and individuals, to compute a year's worth of Conficker domain names and proactively point them at the group's sinkholes. Any infected computer belonging to an OpenDNS user would not be able to contact any of the Conficker command-and-control servers, even on domains the Conficker operators had been able to secure.

The formation of the Conficker Working Group (CWG) was officially announced to the public on February 12, 2009, as what a number of news stories characterized as an unprecedented example of global cooperation in the computer security industry, and a potential blueprint for dealing with threats in the future. The CWG had grown from an e-mail list for nine individuals to a group of more than 30 member organizations from around the world, coordinating complex activities through a robust communications infrastructure. On the day the CWG was announced, the group had successfully registered every Conficker domain name for the next 10 days, a genuine—if temporary—victory over the Conficker operators.

Setbacks and Triumphs

The domain registration task became exponentially more challenging on March 4, 2009, with the discovery of Worm:Win32/Conficker.D. Investigators reverse-engineered the new variant and determined that it was programmed to generate 50,000 new domain names a day across 110 TLDs, beginning on April 1, 2009. Though this seemed at first like an impossible hurdle to overcome, CWG members immediately began working to counter the effects of the upcoming change. As security researchers continued to analyze the Conficker.D malware, ICANN staffers began contacting the registries responsible for each of the affected TLDs seeking cooperation in registering or blocking the domains, and the CWG compiled "go packs" of information for Internet service providers and enterprises about the steps they should take to help keep their customers and employees safe.

April 1, 2009, came and went, with the world outside the security community noticing little or no change. By that time, however, ICANN had secured the cooperation of all 110 TLDs used by Conficker, and the global DNS community was active and prepared to deal with the Conficker threat. Rapid, effective collaboration across borders and organizational lines had proven instrumental in containing what has been, and remains, a significant threat to the world's computers and information.

The CWG Today

The CWG remains in place today, with more than 300 member organizations representing law enforcement, academia, and industry, and remains vigilant against new developments. In cooperation with ICANN and the DNS community, the CWG continues to block or register the 50,000 domain names generated each day by the Conficker algorithms. Each month the group supplies the 110 affected TLD operators with an updated list of generated domain names covering the next several months, so they can begin implementing countermeasures well in advance. Automated mechanisms verify that each domain name has been blocked before it is scheduled to be used and alert the CWG for any that have not, so activity for those domains can be closely monitored. Once in a while, a domain name generated by the algorithm happens to correspond to an existing domain owned by a legitimate party; in such cases, the CWG contacts the legitimate domain owner in advance and offers assistance managing the expected spike in traffic coming from infected computers.

In March, the group underwent a reorganization process to add structure and to segment its work by subject area to work more effectively. The group maintains a Web site at http://www.confickerworkinggroup.org with links to information in multiple languages about Conficker and resources that service providers and end users can use to determine if they are infected, and if so, what to do about it. The fight against Conficker is not over. The five identified variants continue to spread to new computers due to a lack of information or action on the part of some system administrators and end users. Even after Conficker recedes into insignificance, there will likely be other threats of similar magnitude to deal with in the future. As such threats appear, though, collaborative efforts, such as the CWG, can provide the global security community with unequaled tools for mitigation and resolution.

* * *

The SIR contains other data on Conficker including how many machines were cleaned by the Microsoft Malicious Software Removal Tool and its comparison to other malware removed during the first half of 2009.

Written by Terry Zink, Program Manager

Follow CircleID on Twitter

More under: Malware, Security, Spam, Top-Level Domains

The recently completed ICANN Conference in Seoul, Korea will be remembered for a unique accomplishment—the first definitive step towards the addition of Internationalized Domain Names (IDNs) to the Internet root. In the words of ICANN's press release:

"ICANN's Fast Track Process launches on 16 November 2009. It will allow nations and territories to apply for Internet extensions reflecting their name—and made up of characters from their national language. If the applications meet criteria that include government and community support and a stability evaluation, the applicants will be approved to start accepting registrations."

As the announcement states, the applicants, at this time, are limited to nations and territories; the first IDNs will be in country code top level domains (ccTLDs). The generic TLDs, (the gTLDs, e.g., .org, .com and .info) will have to wait for their opportunity to apply for IDNs. There is a long history to this development. Its timing is at least partly due to the insistence of two major nations, China and Russia, both of which have been in a position to establish alternate roots in Chinese and Cyrillic characters, respectively. The ICANN approval of the Fast Track Process recognizes this reality while maintaining the global interoperability of the Internet. Two major issues, however, remain unresolved—the question of ccTLD financial support for ICANN, and the nature of the agreements between ICANN and each ccTLD concerning their operations.

Before the Conference, ICANN released the third version of the Draft Applicant Guidebook for new generic Top-Level Domains (gTLDs)—the "DAG". Just as the second version was not greeted with universal acclaim, the third fails to meet the concerns of many Internet stakeholders. At the conference, ICANN recognized another reality by acknowledging that the timeline for the introduction of new gTLDs is put off indefinitely. There is likely to be at least one more version of the DAG before the final Guidebook appears. ICANN is still looking for some kind of consensus on the four overarching issues it has identified:

1. Trademark Protection;
2. Potential for Malicious Conduct;
3. Security and Stability: Root Zone Scaling; and
4. TLD Demand and Economic Analysis.

ICANN has established a Wiki for comment on each of them.

The trademark protection issue was singled out for separate treatment. ICANN's Board wrote to the GNSO Council requesting its "view on whether the following rights protection mechanisms recommended by the staff are consistent with the GNSO's proposed policy on the introduction of new gTLDs, and are an appropriate and effective option for achieving the GNSO's stated principles and objectives:

• The creation of an IP Clearinghouse which is a database of authenticated trade mark rights in a standard data format including the requirement for registries to provide an IP Claims service or Sunrise process during TLD launch; and
• The creation of a Uniform Rapid Suspension process."

The GNSO Council referred the questions to a Special Trademark Issues team who will attempt to reach consensus by 14 December; in the absence of consensus, the Board will adopt its staff recommendations.

On the issue of TLD Demand and Economic Analysis, ICANN continues to receive criticism regarding the nature of its commissioned economic studies and their failure to deal effectively with such questions as the ability of new registries to be vertically integrated with registrars. PIR, the .Org registry, has been among the leaders in pointing out the dangers of insider trading (domain tasting and front running) that is the likely result of vertical integration. PIR has joined with Afilias (.info) and NeuStar (.biz) in proposing a requirement that a new registry not be allowed to register names through an affiliated registrar. This proposal would not ban cross-ownership itself.

Regarding the Root Zone Scaling issue, there were a number of discussions at the Conference about the technical concerns. The consensus appeared to be that the experts are comfortable with the idea of introducing about 100 new TLDs into the root per year, but any number above that would require at least careful monitoring to avoid overloading the capacity of the system.

The subject of Mitigating Malicious Conduct continues to be a difficult one. There were several meetings at the Conference about abusive domain name registrations, and there are a number of initiatives under way to encourage registries and registrars to take action when the sources of phishing, malware and the like are uncovered.

In Seoul, the reform of the GNSO was largely accomplished. The charters of all the new Stakeholder Groups: Contracted (Registry and Registrar), Non-Contracted (Commercial and Non-Commercial) have been accepted. A question regarding the charter for the Non-Commercial Stakeholder Group was temporarily resolved by making the NonCommercial Constituency (NCUC) a constituency within the Stakeholder Group, making it possible for another constituency to be formed within the group.

Written by David Maher, Senior Vice President, Law and Policy

Follow CircleID on Twitter

More under: DNS, Domain Names, Domain Registries, ICANN, Internet Governance, Multilinguism, Top-Level Domains

The recently completed ICANN Conference in Seoul, Korea will be remembered for a unique accomplishment—the first definitive step towards the addition of Internationalized Domain Names (IDNs) to the Internet root. In the words of ICANN's press release:

"ICANN's Fast Track Process launches on 16 November 2009. It will allow nations and territories to apply for Internet extensions reflecting their name—and made up of characters from their national language. If the applications meet criteria that include government and community support and a stability evaluation, the applicants will be approved to start accepting registrations."

As the announcement states, the applicants, at this time, are limited to nations and territories; the first IDNs will be in country code top level domains (ccTLDs). The generic TLDs, (the gTLDs, e.g., .org, .com and .info) will have to wait for their opportunity to apply for IDNs. There is a long history to this development. Its timing is at least partly due to the insistence of two major nations, China and Russia, both of which have been in a position to establish alternate roots in Chinese and Cyrillic characters, respectively. The ICANN approval of the Fast Track Process recognizes this reality while maintaining the global interoperability of the Internet. Two major issues, however, remain unresolved—the question of ccTLD financial support for ICANN, and the nature of the agreements between ICANN and each ccTLD concerning their operations.

Before the Conference, ICANN released the third version of the Draft Applicant Guidebook for new generic Top-Level Domains (gTLDs)—the "DAG". Just as the second version was not greeted with universal acclaim, the third fails to meet the concerns of many Internet stakeholders. At the conference, ICANN recognized another reality by acknowledging that the timeline for the introduction of new gTLDs is put off indefinitely. There is likely to be at least one more version of the DAG before the final Guidebook appears. ICANN is still looking for some kind of consensus on the four overarching issues it has identified:

1. Trademark Protection;
2. Potential for Malicious Conduct;
3. Security and Stability: Root Zone Scaling; and
4. TLD Demand and Economic Analysis.

ICANN has established a Wiki for comment on each of them.

The trademark protection issue was singled out for separate treatment. ICANN's Board wrote to the GNSO Council requesting its "view on whether the following rights protection mechanisms recommended by the staff are consistent with the GNSO's proposed policy on the introduction of new gTLDs, and are an appropriate and effective option for achieving the GNSO's stated principles and objectives:

• The creation of an IP Clearinghouse which is a database of authenticated trade mark rights in a standard data format including the requirement for registries to provide an IP Claims service or Sunrise process during TLD launch; and
• The creation of a Uniform Rapid Suspension process."

The GNSO Council referred the questions to a Special Trademark Issues team who will attempt to reach consensus by 14 December; in the absence of consensus, the Board will adopt its staff recommendations.

On the issue of TLD Demand and Economic Analysis, ICANN continues to receive criticism regarding the nature of its commissioned economic studies and their failure to deal effectively with such questions as the ability of new registries to be vertically integrated with registrars. PIR, the .Org registry, has been among the leaders in pointing out the dangers of insider trading (domain tasting and front running) that is the likely result of vertical integration. PIR has joined with Afilias (.info) and NeuStar (.biz) in proposing a requirement that a new registry not be allowed to register names through an affiliated registrar. This proposal would not ban cross-ownership itself.

Regarding the Root Zone Scaling issue, there were a number of discussions at the Conference about the technical concerns. The consensus appeared to be that the experts are comfortable with the idea of introducing about 100 new TLDs into the root per year, but any number above that would require at least careful monitoring to avoid overloading the capacity of the system.

The subject of Mitigating Malicious Conduct continues to be a difficult one. There were several meetings at the Conference about abusive domain name registrations, and there are a number of initiatives under way to encourage registries and registrars to take action when the sources of phishing, malware and the like are uncovered.

In Seoul, the reform of the GNSO was largely accomplished. The charters of all the new Stakeholder Groups: Contracted (Registry and Registrar), Non-Contracted (Commercial and Non-Commercial) have been accepted. A question regarding the charter for the Non-Commercial Stakeholder Group was temporarily resolved by making the NonCommercial Constituency (NCUC) a constituency within the Stakeholder Group, making it possible for another constituency to be formed within the group.

Written by David Maher, Senior Vice President, Law and Policy

Follow CircleID on Twitter

More under: DNS, Domain Names, Domain Registries, ICANN, Internet Governance, Multilinguism, Top-Level Domains

Kevin J. O'Brien reporting in the New York Times: "European lawmakers on Thursday agreed on new protections for Internet users, striking a compromise between national governments seeking to impose tough anti-piracy laws and consumer organizations that wanted to enshrine Internet access as an unassailable right. The agreement removes the last hurdle to passage of sweeping changes to European telecommunications law, which had been held hostage for six months by the standoff over Internet access..."

Read full story: New York Times

Follow CircleID on Twitter

More under: Access Providers, Censorship, Law, P2P, Policy & Regulation

Kevin J. O'Brien reporting in the New York Times: "European lawmakers on Thursday agreed on new protections for Internet users, striking a compromise between national governments seeking to impose tough anti-piracy laws and consumer organizations that wanted to enshrine Internet access as an unassailable right. The agreement removes the last hurdle to passage of sweeping changes to European telecommunications law, which had been held hostage for six months by the standoff over Internet access..."

Read full story: New York Times

Follow CircleID on Twitter

More under: Access Providers, Censorship, Law, P2P, Policy & Regulation

According to a recent security report, Spain and the United States are the leading countries when comes to bot-infected computers. Based on data compiled from October by PandaLabs, the research arm of Panda Security, an alarming 44.49% of computers in Spain are infected with bots and United States—a long way behind—at 14.41%, followed by Mexico 9.37% and Brazil 4.81%. Countries least infected include Peru, the Netherlands and Sweden, all with ratios under 1 percent.

According to Luis Corrons, Technical Director of PandaLabs, "Along with rogueware, botnets and zombie computers have increased by more than 30 percent so far this year. This is the simplest way for a hacker to take control of computers to distribute spam or malware, therefore making it more difficult to trace and detect the real culprit. The problem is that owners of these zombie computers will be committing crimes without realizing it, and could face having their services withdrawn by their ISPs or even prosecution."

Follow CircleID on Twitter

More under: Security

According to a recent security report, Spain and the United States are the leading countries when comes to bot-infected computers. Based on data compiled from October by PandaLabs, the research arm of Panda Security, an alarming 44.49% of computers in Spain are infected with bots and United States—a long way behind—at 14.41%, followed by Mexico 9.37% and Brazil 4.81%. Countries least infected include Peru, the Netherlands and Sweden, all with ratios under 1 percent.

According to Luis Corrons, Technical Director of PandaLabs, "Along with rogueware, botnets and zombie computers have increased by more than 30 percent so far this year. This is the simplest way for a hacker to take control of computers to distribute spam or malware, therefore making it more difficult to trace and detect the real culprit. The problem is that owners of these zombie computers will be committing crimes without realizing it, and could face having their services withdrawn by their ISPs or even prosecution."

Follow CircleID on Twitter

More under: Security