• Home
  • Et Cetera

Infosecurity.US

Conficker Set To Disrupt Legit Sites During March

By Marc Handelman on March 2nd, 2009

Malware

Reports have surfaced, over the weekend, of the apparent malware laden Conficker worm (aka Downadup) code base ‘phone home’ function will perform it’s call home for instruction set to WSNUX.com (and others), a redirect site to Southwest Airlines. The report, produced by respected anti-malware comapny SOPHOS, points to a particularly difficult scenario to mitigate: The addition of legitimate sites within phone-home code in malware, thereby producing a DDoS attack against those legitmate web presences.  The obvious outcome may very well be significant delay times doing business with Southwest Air, and to the other business on the ‘list’, as it were. A short snippet of the original post, and the Heise Security story, appears after the jump.


Conficker to disrupt legitimate domains in March

The Conficker worm will be disrupting at least four legitimate domains in March according to a report from Sophos. Although the action taken last month by ICANN, Microsoft and many others to stop Conficker calling home is blocking domains that were unregistered, there are a number of legitimate domains who will, for one day at least, be called “home” by the worm. On those days, all the instances of the worm in the wild will attempt to connect to these domains, looking for new instructions or code, which could result in a denial of service for the owners and users of the legitimate sites.

On March 8th, jogli.com (Big Web Great Music), will be called “home” by Conficker, followed by wnsux.com (Southwest Airlines) on the 13th, qhflh.com (Women’s Net in Qinghai Province) on the 18th and praat.org (Praat: doing phonetics by computer) on the 31st. The Sophos report notes that other less frequented domains are also in Conficker’s path. The report suggests that sites which are on the list look at either not resolving their domain name on the date or filtering the HTTP query that Conficker uses (http://<domainname>/search?q=<N>).

—

Conficker Collateral Damage for March 2009

If you have a flight booked with Southwest Airlines on Friday March 13th, you may have difficulty checking in online — that’s when the Conficker worm will be calling it home.

To clarify, before outright blocking the 7750 Conficker call-home domains for the month of March, I dug into the giant list to see if the deterministic domain generation algorithm hit any existing non-malicious domains.

And good thing I did — on March 13th, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions — they won’t get any, but that may certainly disrupt the operation of southwest.com — a reputable travel and tourism site that wnsux.com (also owned by Southwest Airlines) redirects to.

A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.

Digging through 7750 domains manually would be a bit ridiculous. Since we are still in February, I narrowed my search to domains that are currently active (ones that resolve to an IP address). A bit surprisingly, this only trimmed the search to 3889 domains (yikes!).

However, with a little grep-cut-sort-uniq magic, these +3900 domains actually resolved to a mere 42 unique IP addresses. Moreover, only a handful of these IPs make up the (c)overt operation of collaborating ISPs and network management organizations to thwart Conficker by pre-registering these call-home domains — a total of 3861 of the active domains each resolve to this handful of IPs. That leaves a mere 28 domains to check — now I can handle that.

  • ICANN ponders ways to stop scammy Web sites (infoworld.com)
  • March 13, 2009 – Virus Set To Call Home To Southwest Ailrines (lockergnome.com)
  • Hackers target Xbox Live players (news.bbc.co.uk)
  • Kaspersky, OpenDNS collaborate to slow Conficker worm (infoworld.com)
  • We’re Back (powerlineblog.com)
  • DDoS attack boots Kyrgyzstan from net (theregister.co.uk)
  • OcUK puts £10K bounty on the heads of DDoS varmints (theregister.co.uk)
  • Time Warner Cable Getting Slammed By Denial Of Service Attack [Denial Of Service] (consumerist.com)
Reblog this post [with Zemanta]

Categories: Infosecurity
Tags: Denial-of-service attack, Features, Internet Worms, Malware, Microsoft

Related Headlines

    Related posts:

    1. Shadowserver Foundation Announces New Effort To Combat Conficker
    2. Why Conficker April 1st Hype Is Just That
    3. US-CERT: Conficker Technical Cyber Security Alert
    4. Facebook Clickjack Worm Vectored Attack Reports
    5. Conficker Copycat Crawls Over Windows

Comments are closed.

« Black Hat Interviews Dan Kaminsky Dinosaur Comics: Tips For Job Hunters »
  • Latest
  • Random
  • Bookmarks
  • Archives
  • Steve Benson: Persian Lights…
  • New, Pernicious BotNet Emerges
  • VMWare Announces ESX Console Security Update
  • Nick Anderson: Egg
  • Doppelgänger Infinitus
  • Robert Ariall: Iran For Cover
  • Data Leakage Wednesdays: Old Printer Vector
  • XKCD: Exoplanets
  • Apple Releases Magic Footpad, Raises Ante On Bipedal Computer Controls
  • Science Tuesday: Asteroidal Discoveries Mapped, 01980 – 02010
  • iPhone? Yes, Dorothy, It Blends…
  • Smacked By Mikeyy Worm On Friday, Twitter Signs One Millionth User…
  • Dinosaur Comics: Money
  • Weekend Off!
  • VMWare Announces Three Security Advisories
  • Microsoft Releases March 2009 Advance Security Notification
  • Finnigan Oracle Master Class
  • Clay Bennett: Health Care Monopoly
  • Suspect Indicted For Alleged Hack Of Govenor Sarah Palins’ Email Account
  • XKCD: Induced Current
  • Apple
  • BSD
  • Closson
  • Darknet
  • Debian
  • Finnigan
  • ha.ckers
  • Hoff
  • Insecure
  • Krebs
  • Layer8
  • MSRC
  • Network Security Blog
  • NSA SEL
  • openSUSE
  • RedHat
  • SANS
  • Schneier
  • Security Eunoia
  • Securosis
  • Shimel
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
Subscribe

Featured Blog - Blogs.com SANS Security Reading Room KnotOriginal: fine art to hang on your body and walls Member - Security Bloggers Network

Dilbert

KnotOriginal

Featured Video

QOTD

RSS Security Bloggers Network

  • Two Wheel EV Recumbant: Zerotracer 2010/09/02 Davi Ottenheimer
  • Ben Franklin’s Endpoint Security Advice 2010/09/02 Jeff Hughes
  • Configuring Conditional SSH Connections 2010/09/02 Xavier
  • Truecrypt and USB drives 2010/09/02 always peace
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Andrew Hay
  • Safe Web Surfing Rule # 1: READ the URL 2010/09/02 Tom Kelchner
  • Heartland Set To Pay Discover $5M For 2008 Data Breach 2010/09/02 spinman
  • User’s Opinions on Malware Infections 2010/09/02 spinman
  • Acunetix Web Vulnerability Scanner 7 Released 2010/09/02 spinman
  • LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs 2010/09/02 Anton Chuvakin

RSS Cryptography

  • Monitor: Schrodinger's cat and mouse 2010/09/02
  • How to configure a Junos security device 2010/09/02
  • Net Effect: Hay-what? 2010/09/02
  • The Art of Proof 2010/09/02
  • Quantum crypto cracked, researchers say 2010/09/01

RSS SANS ISC

  • Microsoft EMETv2 released, (Thu, Sep 2nd) 2010/09/02
  • SDF, please!, (Thu, Sep 2nd) 2010/09/02
  • Month of Undisclosed 0-day Bugs, (Wed, Sep 1st) 2010/09/01
  • Microsoft issues updates to sysinternals ProcDump and Process Monitor: http://blogs.technet.com/b/sysinternals/archive/2010/08/30/updates-procdump-process-monitor-and-a-new-mark-s-blog-post.aspx, (Wed, Sep 1st) 2010/09/01
  • VMWARE releases 2 security advisories for ESX Service Console: http://lists.vmware.com/pipermail/security-announce/2010/000103.html and http://lists.vmware.com/pipermail/security-announce/2010/000104.html, (Wed, Sep 1st) 2010/09/01

RSS Oracle

  • Going to Oracle OpenWorld 2010? 2010/09/02
  • Automatic Time Zone support in Application Express 4.0 2010/09/02
  • EBS, Collaborate, Security, BPEL, OWB, Blog of Note, Hyperion, EPM, Burnout, WiFi 2010/09/02
  • Details of Tuxedo sessions at OOW 2010/09/02
  • JavaOne Preview on TechCast Live! (Tues., Sept. 7, 10am PT) 2010/09/02
  • links for 2010-09-02 2010/09/02
  • Join us for a Bersin & Associates Webcast - "Evolution of ERPs: Driving Business Value through Integrated Talent Management" 2010/09/02

RSS MySQL

  • Join MySQL at OSCON 2010/07/02
  • TechCast Live: Jono Bacon and Luke Kowalski on MySQL Community 2010/05/21
  • What's New in the MySQL Enterprise Spring 2010 Release? - Interview with Mark Matthews and Andy Bang 2010/05/17
  • Introduction to MySQL 5.5 2010/04/13
  • Why Should I Check Out a MySQL-Based Column Database ? 2010/02/12
  • A deep look at MySQL 5.5 partitioning enhancements 2009/12/24
  • Sun "Tech Days" Conference World Tour Kicks Off in Brazil 2009/12/07

RSS Linux

  • A Guide to Today's Top 10 Linux Distributions - NetworkWorld.com 2010/09/02
  • Embedded Linux Conference videos available - LWN.net 2010/09/02
  • Net Applications' iOS vs Linux Report Confuses Me - Muktware (blog) 2010/09/02
  • Cloudlinux Named Editor's Choice By Web Host Magazine & Buyer's Guide - PR Urgent 2010/09/02
  • Samsung's 3D TV remote let's you take the screen with you - Geek.com 2010/09/02

RSS MAC OSX

  • Samsung Reveals Half-Pint iPad, The Galaxy Tab 2010/09/02 Eli Milchman
  • Daily Deals: New nano, touch and Apple TV 2010/09/02 Ed Sutherland
  • iPhone 4 Coffee Table Gets You Better Reception Than iPod Table? 2010/09/02 Nicole Martinelli
  • Walkman Outsells iPods in Japan, Can Wristwatch Nano Change That? 2010/09/02 Nicole Martinelli
  • Amazon: Buy – Don’t Rent – 99-Cent Fox, ABC TV Episodes 2010/09/02 Ed Sutherland
  • Analyst: New Apple TV Rival for Cable’s Video-on-Demand 2010/09/02 Ed Sutherland
  • iTunes Ping And Facebook: What’s Going On? 2010/09/02 Giles Turnbull

RSS Microsoft

  • Update on Security Advisory 2269637 2010/08/31 MSRCTEAM
  • Microsoft Security Advisory 2269637 Released 2010/08/22 MSRCTEAM
  • August 2010 Webcast and QA 2010/08/12 MSRCTEAM
  • Update on the publicly disclosed Win32k.sys EoP Vulnerability 2010/08/10 MSRCTEAM
  • August 2010 Security Bulletin Release 2010/08/10 MSRCTEAM
  • August 2010 Bulletin Release Advance Notification 2010/08/05 MSRCTEAM
  • August 2010 Out-of-Band Security Release Webcast Q&A 2010/08/03 MSRCTEAM

RSS Network

  • How to get started with a blade system 2010/09/02
  • Opsview Community Edition review 2010/09/02
  • Cacti review 2010/09/02
  • Brocade adds 100G Ethernet to switch and router line 2010/09/02
  • Is Cisco making a play for Skype? 2010/08/31
  • Skype launches Skype Connect enterprise voice calling 2010/08/31
  • Sonos ZonePlayer S5 review 2010/08/25

Daily Posts

September 2010
S M T W T F S
« Aug    
 1234
567891011
12131415161718
19202122232425
2627282930  
Creative Commons License
The Infosecurity.US Blog is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Find the best blogs at Blogs.com.

Creative Commons Attribution-Share Alike 3.0 U.S. License ©2010 Infosecurity.US

Subscribe