Collective Intelligence Vs Malware: Conficker Working group

Collective intelligence, as described in different posts of this blog, can be used in many different areas. In the end, it is about taking advantage of a group’s potential to solve a problem, propose new ideas, etc. regardless of the area of application. It is not strange therefore that collective intelligence has been used in an area as relevant today as cybersecurity.

A concrete case of this use of collective intelligence (for good) in the world of cybersecurity is the case of the “Coinficker Working Group”.

Conficker malware

In November 2008, the first version of a malware (a worm) called Conficker was detected. This malware, which exploited a vulnerability of different versions of Windows operating system, infected millions of machines by incorporating them into a botnet (a network of computers that can be controlled by an attacker remotely).

The malware, every so often, connected to a series of top-level domains (.com, .biz, etc.) to receive instructions, update or download files. Only on some of these websites the malware received such instructions (the rest was a decoy). If these domains were blocked, malware activity would be blocked.

The real intention of the author was never known, although different experts said that the botnet had the capacity to cause serious damage, not only to Internet users, but also to companies, governments or even critical infrastructures. This malware came to have up to 5 versions, in each of which it incorporated new “features”: improvements in its form of propagation, P2P connection with other infected machines, incorporation of adware, etc.

Conficker, like it happened recently with the Wannacry ransomware, took advantage of a vulnerability for which Microsoft had recently published a patch. Those who did not have their operating system updated could be infected.

Map showing the areas where the Conficker malware was installed, “The Map Scrolls”, http://mapscroll.blogspot.com.es/2009/04/mapping-conficker-worm.html

The beginning of the solution

Although the definitive solution for this malware was a tool developed by Microsoft that eliminated malware and updated the operating system by installing the corresponding patch, the first reaction came from a group of professionals in the cybersecurity area.

Different experts from Microsoft, ICANN, university researchers, private companies (like Symantec) and even governments (specifically the Chinese government), some from their jobs and others in their free time, got organized to stop the advance of Conficker. The group then did the following:

  1. Identify the domains to which Conficker tried to connect and block them (this was possible thanks to the involvement of ICANN and other companies dedicated to domain registration).
    • If the domain that was trying to contact Conficker was already registered, that domain had to be investigated. Was it legitimate or not? In case of not being, it was blocked.
    • Many times, the domain investigated was dedicated to distribute other malware or spam. In these cases, these domains were also blocked.
  2. If the domain Conficker was trying to connect to was not registered, the group registered it to control it.

They also created a small program that advised the users if their computer was infected. The group realise could not overcome the malware by itself, but it was important to involve each of the users (as far as possible).

Later Microsoft published the tool that eliminated the malware, at the same time that it installed the patch that avoided Conficker installation.

The work they did was not easy and sometimes they almost gave up. Coordination and relationship between team members were not easy either (sometimes influenced by external factors such as the media). In any case, the success of the group was considerable and its results and actions appear in a document that they developed some time later: “Conficker Working Group: Lessons learned”. They also created a wiki where the published news about its work.

 

From the crowdsourcing and collective intelligence perspective

From the crowdsourcing point of view, members of this group performed HITs (“Human Intelligence Tasks”): a very specific task that a computer cannot perform automatically because it needs human intervention.

Regarding the crowdsourcer, the initiative did not come from a specific company/organization/person as an open call, but emerged in a more general way. This in turn, generated some problems since there was no clear responsible to mark certain lines. There were problems related, for example, with the relationship with the media, etc.

Nor was there a tangible reward, but in this case we could say that what moved the crowd was a mixture of “glory” and “love” (following Malone).

Leave a Reply

Your email address will not be published. Required fields are marked *