After nearly a year of what could be described as a virtual archeological dig, I've published a report on the collaborative effort to contain the Conficker worm.
My involvement in the collaborative effort was peripheral. I was in the right rooms, on the right calls, lurking on many of the right email and contact lists. I knew many of the intimately involved parties as colleagues or friends. Over the long course of the containment activities, I was able to accumulate a good deal of information related to the worm, its evolution, and measures taken to contain it from experts who were deeply immersed in monitoring, analysis and response activities. I was fortunate to participate in coordination calls and meetings, where I had the (again) good fortune to observe the energy various security, research, OS and DNS industry volunteers invested to try to prevent the Conficker writers from re-establishing communications with an estimated millions of botted PCs.
From these sources, and after consultations and review cycles involving many of the participants, I have pieced together a chronology of events related to the containment of the Conficker worm. In my report, I introduce and briefly describe the worm and its evolution. Much of this discussion is drawn from the excellent work of Honeynet Project authors Felix Leder and Tillman Werner. This will be interesting for many readers, but others may appreciate a discussion of lessons learned during the containment period and recent activities that attempt to apply them.
I hope you find the report worthwhile and look forward to your comments.