The problem with Conficker is that we still don’t know what it’s for. Yes, an estimated 7 million computers are infected worldwide, but they don’t show signs of any expected type of malicious activity. Basically, we are all waiting for something to happen so that we are able to react or, at least, be able to say “A-ha! So that’s the grand plan!”
In the meantime, there is one positive aspect of this whole situation. To respond to and mitigate the threat, the Conficker Working Group was created and proved to everybody that security researchers and Internet infrastructure providers around the world and working for many different companies can work together towards a common goal.
This is precisely why the Department of Homeland Security decided to fund the creation of a report that will take stock of the way this group interacted in the hopes of learning which things worked and which didn’t.
In a way, this could be considered an unintentional experiment that could provide a basis on which to model similar future initiatives. According to Infoworld, there has already been an instance in which this model proved its mettle.
Using the same organization model and the tactic that the CWG used for blocking the Conficker bots to access domains where they could pick up further instruction, a group effort by Panda Security, Defence Intelligence, the FBI and Spanish Guardia Civil managed to take down another massive botnet: the Mariposa.
The CWG managed to create a good working structure that has proven more than adequate when it comes to global cooperation. There is no formal hierarchy in the group, which is divided in 3 subgroups (DNS, sinkhole, and malware analysis). Tactics of the group are kept secret, and the group still has conference calls every week so that everybody is apprised on the workings of the rest of the group.
As Rodney Joffe, a senior technologist with Neustar and a member of the CWG says: “In terms of defeating Conficker, it’s gotten us nowhere. In terms of learning, it’s been a great success.”