Domain-hoarding may have hamstrung Conficker

A concerted effort by security researchers may have thwarted the Conficker update

Security researchers scrambled to snatch up domains thought to have been targeted by the controllers of the Conficker worm prior to the 1 April update.

F-Secure researcher Patrik Runald said in a blog post that security vendors and researchers calling themselves the Conficker Working Group tried to prevent Conficker's operators from registering targeted domains in the days leading up to the 1 April update.

The Conficker.C revision was programmed to generate a list of domains which could be contacted by infected machines to receive an update and possibly new attack instructions.

In an effort to thwart such an update, Runald said that researchers scrambled to prevent the registration of those domains, leaving controlled machines to 'phone home' to empty sites.

"What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm," wrote Runald.

"Never before have we seen such a global co-operation within the industry, and we're proud to be a member of that group."

However, Runald acknowledged other factors which may have contributed to Conficker's no-show, such as the amount of media attention given to the date.

Runald also warned that the passing of the deadline does not mean the end of Conficker. The botnet's controllers could still issue an update for the worm, and its peer-to-peer capabilities could have already allowed for an update to begin circulating.