Conficker Set To Disrupt Legit Sites During March

By Marc Handelman on March 2nd, 2009

Malware

Reports have surfaced, over the weekend, of the apparent malware laden Conficker worm (aka Downadup) code base ‘phone home’ function will perform it’s call home for instruction set to WSNUX.com (and others), a redirect site to Southwest Airlines. The report, produced by respected anti-malware comapny SOPHOS, points to a particularly difficult scenario to mitigate: The addition of legitimate sites within phone-home code in malware, thereby producing a DDoS attack against those legitmate web presences. The obvious outcome may very well be significant delay times doing business with Southwest Air, and to the other business on the ‘list’, as it were. A short snippet of the original post, and the Heise Security story, appears after the jump.

Conficker to disrupt legitimate domains in March

The Conficker worm will be disrupting at least four legitimate domains in March according to a report from Sophos. Although the action taken last month by ICANN, Microsoft and many others to stop Conficker calling home is blocking domains that were unregistered, there are a number of legitimate domains who will, for one day at least, be called “home” by the worm. On those days, all the instances of the worm in the wild will attempt to connect to these domains, looking for new instructions or code, which could result in a denial of service for the owners and users of the legitimate sites.

On March 8th, jogli.com (Big Web Great Music), will be called “home” by Conficker, followed by wnsux.com (Southwest Airlines) on the 13th, qhflh.com (Women’s Net in Qinghai Province) on the 18th and praat.org (Praat: doing phonetics by computer) on the 31st. The Sophos report notes that other less frequented domains are also in Conficker’s path. The report suggests that sites which are on the list look at either not resolving their domain name on the date or filtering the HTTP query that Conficker uses (http://<domainname>/search?q=<N>).

—

Conficker Collateral Damage for March 2009

If you have a flight booked with Southwest Airlines on Friday March 13th, you may have difficulty checking in online — that’s when the Conficker worm will be calling it home.

To clarify, before outright blocking the 7750 Conficker call-home domains for the month of March, I dug into the giant list to see if the deterministic domain generation algorithm hit any existing non-malicious domains.

And good thing I did — on March 13th, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions — they won’t get any, but that may certainly disrupt the operation of southwest.com — a reputable travel and tourism site that wnsux.com (also owned by Southwest Airlines) redirects to.

A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.

Digging through 7750 domains manually would be a bit ridiculous. Since we are still in February, I narrowed my search to domains that are currently active (ones that resolve to an IP address). A bit surprisingly, this only trimmed the search to 3889 domains (yikes!).

However, with a little grep-cut-sort-uniq magic, these +3900 domains actually resolved to a mere 42 unique IP addresses. Moreover, only a handful of these IPs make up the (c)overt operation of collaborating ISPs and network management organizations to thwart Conficker by pre-registering these call-home domains — a total of 3861 of the active domains each resolve to this handful of IPs. That leaves a mere 28 domains to check — now I can handle that.