2009 Year in Review
My Research Results in the News

In 2009 my research activities had a fair bit of visibility in government and across the public news outlets.    Here is a year end review of media that references my research.

December 2009: The Register (UK)
iPhone worms can create mobile botnets
Security researchers at SRI International - noted for top notch work in dissecting the Conficker botnet - published an analysis of the iPhone botnet on Monday that warns users of Apple's device and similar smartphones to expect more of the same in future. Warnings about mobile malware have been circulating for years. But it's only since the advent of iPhones and other smartphones, allowing decent internet access with what's essentially a mini-computer, that such risks have become tangible, rather than the stuff of anti-virus vendor PowerPoint slides, SRI warns.
http://www.theregister.co.uk/2009/12/22/iphone_worm_analysis/

December 2009:  Ars Technica
iPhone worm code suggests mobile botnets may be future risk
Analysis by SRI International researchers revealed that though iKee.B was fairly simple and took up very little memory, it was sophisticated enough to check in with a "command & control" (C&C) server every five minutes. When the script (perhaps appropriately named "duh") accessed the server, the server could then push any additional instructions, in the form of a new script, that a hacker wanted the phone to run. Part of its execution also involved periodically scanning for other iPhones either on a WiFi connection or on known carrier IP ranges. When an iPhone was found with SSH running, it would attempt to log in with default root passwords and install itself on the newly discovered vulnerable iPhone.
http://arstechnica.com/apple/news/2009/12/iphone-worm-code-suggests-mobile-botnets-may-be-
future-risk.ars

October 2009: PC World (and CIO Magazine and MSN)
Is your PC Bot Infested? Here's How To Tell
Proactive options are also available. BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops.
http://www.pcworld.com/article/170546/is_your_pc_botinfested_heres_how_to_tell.html

October 2009: Communications of the ACM
Reflections on Conficker
In several ways, Conficker was not fundamentally novel. The primary infiltration method used by Conficker to infect PCs around the world was known well before Conficker began to spread in late November 2008. The earliest accounts of the Microsoft Windows buffer overflow used by Conficker arose in early September 2008, and a patch to this vulnerability had been been distributed nearly a month before Conficker was released. Neither was Conficker the first to introduce dynamic domain generation as a method for selecting the daily Internet rendezvous points used to coordinate its infected population. Prior malware such as Bobax, Kraken, and more recently Torpig and a few other malware families, have used dynamic domain generation as well. Conficker's most recent introduction of an encrypted peer-to-peer (P2P) channel to upgrade its ability to rapidly disseminate malware binaries is also preceded by other well established kin, Storm worm being perhaps the most well known example.  Nevertheless, among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. The rapidly evolving set of state-of-the-art Conficker variants do represent the start-of-the-art in advanced commercial Internet malware, and provide several valuable insights for those willing to look close.
http://mags.acm.org/communications/200910/?pg=24

 
July 2009: CNN.com
Whatever happened to the Conficker worm?
Phillip Porras, program director at SRI International, a nonprofit research group, said Conficker infects millions of machines around the world. And the malware's author or authors could use that infected network to steal information or make money off of the compromised computer users. "Conficker does stand out as one of those bots that is very large and has been able to sustain itself on the Web," which is rare, said Porras, who also is a member of the international group tracking Conficker.
http://www.cnn.com/2009/TECH/07/27/conficker.update/
 
July 2009: Wired Magazine
Future of Cyber Security: Hackers Have Grown Up
Money is the catalyst for this change: Computer criminals are scooping in millions through various scams and attacks. The best hackers are growing up in Russia and former Soviet satellite states, where there are fewer legitimate opportunities for smart coders. "If you're a sophisticated team of software developers, but you happen to be in Eastern Europe, what's your way of raising a lot of money?" says Phillip Porras, the cyber threat expert at SRI International who dissected Conficker. "Maybe we're dealing with business models that work for countries where it's more difficult for them to sell mainstream software."
http://www.wired.com/dualperspectives/article/news/2009/07/dp_security_wired0728  
 
June 2009: New Scientist Journal
The Inside Story of the Conficker Worm
The worm hunters would only ever spot the illicit address when the infected computers were making contact and the update was being downloaded - too late to do anything. For the next day's set of instructions, the creators would have a different list of 250 to work with. The security community had no way of keeping up. No way, that is, until Phil Porras got involved. He and his computer security team at SRI International in Menlo Park, California, began to tease apart the Conficker code. It was slow going: the worm was hidden within two shells of encryption that defeated the tools that Porras usually applied. By about a week before Christmas, however, his team and others - including the Russian security firm Kaspersky Labs, based in Moscow - had exposed the worm's inner workings, and had found a list of all the URLs it would contact.
http://www.newscientist.com/article/mg20227121.500-the-inside-story-of-the-conficker-worm.html
full article:  http://www.thehackersedge.com/modules.php?name=News&file=article&sid=150  
 
June 2009: U.S. Whitehouse
Cyber Policy Review
SRI's Technical Report entitled "An Analaysis of Conficker C", by Phillip Porras,Hassen Saidi, and Vinod Yegneswaran, was included in the Stakeholders bibliography of the White House Cyber Policy Report (called The White House Cyber Policy Report).
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf  
 
June 2009: Scientific America
What Conficker Reveals about Internet Crime
After Waledac, the discussion about good worms went away, at least in part because worms themselves went away. ``Back in the early 2000s, there weren't strong business models for distributed malware,'' says Philip Porras, program director of the nonprofit security research firm SRI International. Hackers, he explains, ``were using [worms] to make statements and to gain recognition.'' Worms would rope computers together into botnets--giant collections of zombie computers--which could then attempt to shut down legitimate Web sites. Exciting (if you're into that sort of thing), but not very profitable.
http://www.scientificamerican.com/article.cfm?id=pulling-up-worms  
 
April 2009: PC World
Conficker Variant Expected to Self-Destruct Soon
"We're starting to see some revenue generation," said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker. "We're starting to see some business models come out of it." Security researchers in industry and government are using various means to monitor Conficker.C behavior (which can block over 114 legitimate anti-virus sites and now works in conjunction with the botnet Waledec). Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.
http://www.pcworld.com/businesscenter/article/163848/conficker_variant_expected_to_selfdestruct_soon.html
 
April 2009: Network World
Conficker D-Day Arrives, Worm Phones Home (Quietly)
Among security experts, the consensus seems to be that very little will happen Wednesay. This may be in part because of the high amount of publicity Conficker has received, but then again April 1 is not the first time Conficker has been programmed to change the way it operates. Similar trigger dates have already passed with little change, including January 1, according to according to Phil Porras, a program director with SRI International. Security experts at Symantec, the maker of Norton Antivirus, also believe the threat is overblown and says Conficker today will "start taking more steps to protect itself" and "use a communications system that is more difficult for security researchers to interrupt."
http://www.networkworld.com/news/2009/042409-conficker-worm.html
 
April 2009: Computer World
Different Approaches to Removing Malware
What makes this a poor option is that much of the current crop of malware is sophisticated and defends itself well. The big money to be made peddling malware draws talented programmers. To see this up close and personal, take a look at the SRI International Technical Report An Analysis of Conficker's Logic and Rendezvous Points. It's obvious from the report how much care and effort went into constructing Conficker.
http://blogs.computerworld.com/different_approaches_to_removing_malware  
 
April 2009: Information Week
Are We Getting Con-Ficked?
Conficker was supposed to cause 50,000 PCs around the world to rise up against their human masters on April 1, and since that failed to happen, has been called a hoax and "much ado about nothing." But neither could be further from the truth. The likes of Ron Rivest and SRI International, which specializes in cybersecurity research, don't work feverishly through the night to find a fix for a figment of someone's imagination.
http://www.informationweek.com/blog/main/archives/2009/04/are_we_getting.html  
 
April 2009: Financial Times
Conficker has Something for Everyone: Scareware and Spam Too
Still unknown: who runs the sites selling SpywareProtect, and whether the clever minds behind Conficker have direct ownership of everything involved or are renting out services to the scareware purveyors, spammers or both. ``This is the first information I've seen of Conficker being used for profit,'' said researcher Phillip Porras of SRI International. ``It's too early to speculate on whether it's cooperative subletting or all in the family.''
http://blogs.ft.com/techblog/2009/04/conficker-has-something-for-everyone-scareware-and-spam-too/  
 
April 2009: Information Week
Conficker Worm Hits University of Utah
In February, Microsoft offered a $250,000 reward for information leading to the arrest and conviction of those responsible for Conficker worm. To date, no arrests have been made. The first iteration of the worm, Conficker.A, makes an effort to avoid infecting systems in a Ukrainian domain or using a Ukrainian keyboard layout, according to a report by SRI International. This suggests that the creators of the malware may live in that part of the world and may be exempting their home country to avoid attracting attention from local authorities.
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=216500433  
 
April 2009: Network World
Conficker.E to Self-Destruct on May 5th
"We're starting to see some revenue generation," said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker. "We're starting to see some business models come out of it." Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.
http://www.networkworld.com/news/2009/042409-conficker-worm.html  
 
March 2009: OS News
Conficker Worm - Hoax or Criminally Genius Scheme?
Optimism aside, since the peer-to-peer technology is already set into place, the worm has a much more malicious purpose. Officials are pretty sure that the intent isn't lighthearted, either: ``Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.'' -Phillip Porras, research director at SRI International
http://www.osnews.com/story/21230/Conficker_Worm_Hoax_or_Criminally_Genius_Scheme  
 
March 2009: PC World
What You Need to Know About Conficker - Right Now
How do I know if I'm already infected with Conficker.c? The easiest way is to try to reach some of the popular Web sites that Conficker blocks. If you can't get to Microsoft.com, Symantec.com, McAfee.com and SecureWorks.com, it's likely you've lost control of your computer to Conficker. (The complete list of all 114 domains that the worm blocks can be found in SRI International's excellent analysis of Conficker.C.)
http://www.pcworld.com/article/162317/faq_what_you_need_to_know_about_conficker_right_now.html  
 
March 2009: Investors Business Daily
Most Say Conficker Worm Won't Wreak April 1 Havoc
This week, teams released several free detection tools, including one by the Department of Homeland Security for government, its vendors, or critical-infrastructure operators. "Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," a report by SRI International researchers said this month. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself." Researchers are still probing the worm's code to learn more. Recently, they found a flaw in one feature that could make it easier to thwart.
http://www.investors.com/NewsAndAnalysis/Article.aspx?id=472787  
 
March 2009: San Francisco Chronicle
Computer Worm May Turn Nasty Wednesday
What makes researchers most nervous is that they don't know what Conficker's authors are waiting for. Other than offering fake antivirus software for a brief period last year, the worm's creators haven't tried to make money off Conficker, which is one reason they're so hard to identify. "Usually by this time we have a reasonable understanding of what their business model is," said Phillip Porras, program director for SRI International in Menlo Park, who is an authority on the worm. Conficker's authors have updated the worm's code at least twice since it was launched to provide new ways for the worm to spread, researchers said.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/03/30/BU6H16PEU6.DTL&type=tech  
 
March 2009: Computer World and PC World
Fears of a Conficker Meltdown Greatly Exaggerated
"Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added. The worm, which has been spreading since October of last year, uses a special algorithm to determine what Internet domains it will use to download instructions. Gradually, the Conficker network will get updated, but this will take time, and nothing dramatic is expected to happen on April 1, according to Porras, Howard, and researchers at Secureworks and Panda Security.
http://www.computerworld.com.au/article/297294/fears_conficker_meltdown_greatly_exaggerated  
 
March 2009: The Guardian
Conficker virus could be deadly threat -- of April Fool's Joke
Others agree that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. "At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide," noted Philip Porras of SRI International. Vincent Weafer, vice-president of Symantec, an internet security company, said: "Most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful.
http://www.guardian.co.uk/technology/2009/mar/30/conficker-virus-computing  
 
March 2009: Security Focus
Conficker's Capabilities Worry Researchers
In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code. "In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself."
http://www.securityfocus.com/brief/935  
 
March 2009: Wall Street Journal
Conficker: Don't Believe the Hype
This blog post reports, You may have heard about Conficker, the rogue computer program that might do something dreadful on April 1. The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when that date comes around. According to SRI International's Program Director, Phil Porras, "I don’t see anything on April 1 that will cause any significant havoc. The most likely outcome is that the day will pass and no one will have noticed anything."
http://blogs.wsj.com/digits/2009/03/26/conficker-dont-believe-the-hype/  
 
March 2009: The Register (UK)
Final countdown to Conficker 'Activation' Begins
The most detailed and thorough technical analysis of the worm's behaviour can be found in a paper by SRI International here. SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.
http://www.theregister.co.uk/2009/03/26/conficker_activation_analysis/page2.html  
 
March 2009: PC Magazine: March 2009
PC Magazine: What Will Conficker Bring on April 1?
This article reports that Conficker has become the boogeyman of the security industry over the last year. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. According to the article, as this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day."
http://www.pcmag.com/article2/0,2817,2343910,00.asp  
 
March 2009: The Globe and Mail
Experts Try to Beat Vicious Computer Worm
This article reports that deep within the World Wide Web, there is an undercurrent of potential chaos building ­ a malicious piece of code that has already prompted the French military to ground some fighter planes, and Microsoft to offer $250,000 for information leading to the code's authors. A recent report by SRI International describes the wide spectrum of possible outcomes should Conficker achieve its authors' goals.
http://www.theglobeandmail.com/servlet/story/RTGAM.20090326.wworm0326/BNStory/Technology/home  
 
March 2009: ABC News
Conficker Computer Worm Threatens Chaos
Who is behind this computer attack? And what do they want from us? Are they trying to bring the world's computers to a halt? Or is the whole thing just some elaborate April Fool's joke? "It's not an April Fools prank," said Phillip Porras, a program director at SRI International, a major technology research firm. "We don't know much about how Conficker is being used. We are not sure why Conficker was built."
http://abcnews.go.com/Technology/story?id=7163685&page=1  
 
March 2009: Information Week
Malware Controlling Hardware Is Not A Necessity
Conficker is one recent example. Exploiting a known vulnerability for which there is a patch, Conficker continues to spread and according to analysis by SRI continues to evolve and demonstrates the creators ability to adapt and enhance the malware. Conficker is sophisticated, to be sure, but it's no where near the cutting edge exploit that a BIOS update or SMM rootkit is. Yet, Conficker has much more potential.
http://www.informationweek.com/blog/main/archives/2009/03/malware_control.html  
 
March 2009: Last WatchDog
Countdown to Conficker's April Fools Day Climax
This article reports that two according to report published by SRI International last week, the latest update stopped the Conficker computer worm from spreading and, instead, set all infected PCs to work connecting themselves in a vast P2P network, according to SRI program director Phillip Porras.
http://lastwatchdog.com/countdown-conficker-worms-april-fools-day-climax/  
 
March 2009: USA Today
PC Security Forces Face April 1 Showdown with Conficker Worm
Such worms largely disappeared after 2004, as Microsoft (MSFT) improved its process for identifying new holes and quickly issuing patches. But last September, Chinese hackers began selling a $37.80 program for tapping into a newly discovered Windows hole on some 800 million machines worldwide, according to SRI International, a non-profit research firm. Conficker also took extraordinary measures to prevent each new bot from being disinfected by Microsoft or antivirus programs, or usurped by a rival botnet group. SRI found, for instance, that Conficker's encryption algorithm came from MIT's Ron Rivest, copied from a recently published research paper.
http://www.usatoday.com/money/industries/technology/2009-03-24-conficker-computer-worm_N.htm  
 
March 2009: PC Magazine
Conficker Variants Prompt Debate: Serious, or Not?
The initial reports (such as this one) on "Conficker.B++" noted two new techniques for downloading new software, but didn't detail them at all. The researchers at SRI who found the new variant wrote a detailed explanation of it (and earlier variants). As the SRI report says, clearly the Conficker authors are trying to get around the DNS changes limiting their distribution capability, but it remains to be seen if B++ will do that. To quote the Microsoft report "[t]his change may allow the author to distribute malware to machines infected with this new variant...However, there doesn't appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant."
http://www.pcmag.com/article2/0,2817,2341544,00.asp  
 
March 2009: Red Orbit
Experts Team Up To Battle Conficker Botnet
This article reports that some of the world's top computer security experts are fighting a spectacular cat-and-mouse battle with the brazen creator of a malicious software program known as Conficker, according to a New York Times report. The article references a new report released by SRI International that finds that Conficker C constitutes a major rewrite of the original code. In addition to making it far more difficult to block communication with the program, it has additional capability to disable many commercial antivirus programs and Microsoft's security update features. "Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm," wrote the report's author Phillip Porras, a research director at SRI International.
http://www.redorbit.com/news/technology/1658181/experts_team_up_to_battle_conficker_botnet/index.html  
 
March 2009: SlashDot
Researchers Ponder Conficker's April Fool's Activation Date
This article reports that John Markoff has a story in the New York Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign ­ an April Fool's Day prank ­ to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions.
http://tech.slashdot.org/article.pl?no_d2=1&sid=09/03/21/1518248  
 
March 2009: Bits.NYTimes.Com
The Conficker Worm: April Fool's Joke or Unthinkable Disaster?
According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes.
http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/  
 
March 2009: NY Times
Computer Experts Unite to Hunt Worm
A report scheduled to be released Thursday by SRI International, a nonprofit research institute in Menlo Park, Calif., says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial antivirus programs as well as Microsoft's security update features. “Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,'' said Phillip Porras, a research director at SRI International and one of the authors of the report. ``Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.'' ``In the worst case,'' Mr. Porras said, ``Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.''
http://www.nytimes.com/2009/03/19/technology/19worm.html  
 
March 2009: The Tech Herald
Conficker Worm Fighting Back - New variant Disables Security Measures
Last month, SRI International reported about new code in the variant of Conficker named B++, that foreshadowed the possibility that the Worm's authors were looking for ways to fight the researchers. ``Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach,'' the SRI research stated.
http://www.thetechherald.com/article.php/200911/3157/Conficker-Worm-fighting-back-new-variant-disables
-security-measures-Update  
 
March 2009: Security Focus
Conficker update attempts to foil Cabal
First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International. Companies that monitor the domain names generated by infected computers have found about 3 million IP addresses contacting the domains each day, a level that seems to be stable over the last two weeks.
http://www.securityfocus.com/brief/923  
 
February 2009: CNET
New Variant of Conficker Worm Circulates
This article reports that a new variant of the Conficker Internet worm is circulating that could allow an attacker to distribute malware to infected machines, the US-CERT organization warned. The article mentions that according to an SRI technical report, previous versions of Conficker have been busy. Conficker A has affected more than 4.7 million IP addresses, while its successor, Conficker B, has affected 6.7 million IP addresses, with infected hosts totaling fewer than 4 million computers for both.
http://news.cnet.com/8301-1009_3-10170280-83.html
http://www.zdnetasia.com/techguide/smb/0,3800010798,62051453,00.htm  
 
February 2009: PC Magazine
Conficker Variants Prompt Debate: Serious, or Not?
This article reports that there's a new variant of the Conficker worm, but there's some dispute over how serious a problem it is. According to the article, the initial reports on "Conficker B++" noted two new techniques for downloading new software, but didn't detail them at all. The researchers at SRI who found the new variant wrote a detailed explanation of it (and earlier variants).
http://www.pcmag.com/article2/0,2817,2341544,00.asp  
 
February 2009: New York Times
New Version of Malicious Computer Program is Released
This article reports that the author or authors of a malicious software program that has infected more than 12 million computers since it was released last fall have begun distributing a new version of the program after computer security teams crippled the original's ability to do damage. The new version, known as Conficker B++, was spotted by security researchers at SRI International, who reported last week that the software was an effort by cybercriminals to find a new way to communicate with their programs after they had succeeded in infecting target computers.
http://www.nytimes.com/2009/02/24/science/24computer.html?_r=1&ref=science  
 
February 2009: The Register (United Kingdom)
Conficker Variant Dispenses with Need to Phone Home
This article reports that virus authors have released a new variant of the infamous Conficker (Downadup) worm with enhanced auto-update features. According to the article, ``Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains.''
http://www.theregister.co.uk/2009/02/23/conficker_variant/  
 
February 2009: PC World
Monitor Botnet Threats Your Antivirus Can't See
While traditional security software typically only inspects incoming communication and downloads for malware, a free security tool. BotHunter instead correlates the two-way communication between vulnerable computers and hackers. BotHunter "flips the security paradigm" by focusing on the egress, says Phillip Porras, a computer security expert at SRI International and one of its creators.
http://www.pcworld.com/businesscenter/article/159706/monitor_botnet_threats_your_antivirus_cant_see.html  
 
February 2009: Security Focus
Cabal Forms to Fight Conficker, Offers Bounty
Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.
http://www.securityfocus.com/news/11546  
 
February 2009: The Tech Herald
Conficker variant emerges online -- Conficker B++
The Conficker stories are sure to heat up over the coming week, thanks to new information released by researchers at SRI International. The research details new insight into the Conficker Worm, and the criminals who developed it. A new variant has been spotted, and the alterations to the code show that whoever wrote it knows that security vendors are fighting it, and now the Worm wants to fight back. SRI International took a long hard look at the new code in the Conficker variant discovered as early as February 6 and sent to SRI on February 16. The detailed look at the malicious code showed that of the 297 subroutines that made up the original Conficker B Worm that has spread to millions of systems around the world, this new set of code modified three subroutines and added 39 more.
http://www.thetechherald.com/article.php/200908/3001/Conficker-variant-emerges-online
 
February 2009: Washington Post
Cyber Security Community Joins Forces to Defeat Conficker Worm
Phillip Porras, director of the computer security lab at SRI International, also began tracking Conficker domains in late November. Porras and his team learned they could determine sets of domains sought by Conficker host systems in the past or the future, merely by rolling back or forward the system date setting on Microsoft Windows systems that they had purposesly infected in their test lab. As Porras's group began building lists of domains sought by Conficker that had already been registered, they found hundreds that traced back to security researchers and anti-virus companies.
http://www.csl.sri.com/users/porras/public/WP-Conficker-2-13-09.pdf  
 
January 2009: PC World/Network World
Conficker Hitting Hardest in Asia, Latin America
Phil Porras, program director at SRI International, said the worm has hit China, Brazil, Russia and Argentina the hardest. Interestingly, an earlier variant of Conficker would not attack victims who were using Ukrainian keyboards, but the latest version of the worm does. Huger said the worm's designer has written special code that operates a certain way on Chinese and Brazilian networks, meaning those two countries may have been targeted by the attackers. Nobody knows for sure why Asia and Latin America were so hard hit, but Huger and Porras both said countries with large amounts of pirated software were more likely to be affected. "I think that piracy plays a role, though I don't know if it's the key contributor," Huger said.
http://www.pcworld.com/businesscenter/article/158269/conficker_hitting_hardest_in_asia_latin_america.html  
 
January 2009: New York Times
Worm Infects Millions of Computers Worldwide
One intriguing clue left by the malware authors is that the first version of the program checked to see if the computer had a Ukrainian keyboard layout. If it found it had such a keyboard, it would not infect the machine, according to Phillip Porras, a security investigator at SRI International who has disassembled the program to determine how it functioned.
http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?_r=1&em  
 
January 2009: MIT Technology Review
Why a "Good" Worm May be a Bad Idea
Analysis of the worm shows how this might work. Since the worm is programmed to contact a specific set of web addresses and wait to receive further code, hijacking these addresses could squish the worm before it does much damage. Phillip Porras a researcher at SRI international, who has been studying the spread of Conficker, says that some of the domains linked with the worm have already been registered by "white hat" hackers. These well-intentioned experts might be hoping to simply prevent the worm from receiving further commands, or they might be looking for a way to inject their own viral code into the Conficker network.
http://technologyreview.com/blog/editors/22528/?a=f  
 
January 2009: ZDNet Asia
Highly Predictive Blacklists: What, How, and Caveats
One way to prevent unwanted access to or intrusion from known problem sites is configuration of firewall packet filters, based on IP address blacklists. However, general blacklisting is not always efficient. To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB).
http://www.zdnetasia.com/techguide/security/0,39044901,62049630,00.htm