Conficker worm to DDoS legitimate sites in March

Conficker worm to DDoS legitimate sites in March

Summary: Among the key innovations of the Conficker worm (W32.Downadup) was the pseudo-random domain generation algorithm used for the generation of dynamic command and control locations in order to make it nearly impossible for researchers and the industry to take them down.

SHARE:
TOPICS: Security
7

Among the key innovations of the Conficker worm (W32.Downadup) was the pseudo-random domain generation algorithm used for the generation of dynamic command and control locations in order to make it nearly impossible for researchers and the industry to take them down.  However, once the domain registration algorithm was successfully reverse engineering, it became possible to measure the estimated number of affected hosts by registering several of the upcoming phone back locations.

What if the Conficker worm suddenly decided that the phone-back locations for March were those of legitimate sites?

According to Sophos, during March, the millions of Conficker infected hosts will attempt to phone back to several legitimate domains, among which is a Southwest Airlines owned wnsux.com, potentially causing a distributed denial of service attack on all of them. Here's a list of the legitimate domains and dates on which Conficker will attempt to contact/potentially DDoS them:

Music Search Engine - jogli.com on 8th of March Southwest Airlines - wnsux.com on 13th of March Women's Net in Qinghai Province - qhflh.com on 18th of March Phonetics by Computer - praat.org on 31th of March

In an attempt to mitigate this attack, Southwest Airlines owned wnsux.com domains was modified yesterday and is no longer resolving to a particular IP. However, praat.org is a redirect to the University of Amsterdam's Institute of Phonetic Sciences and just like qhflh.com and jogli.com is still active.

The reverse engineering of the domain registration algorithm not only made it possible to anticipate the upcoming command and control locations, but also, allowed security companies to pre-register them and lock them under the Conficker Cabal alliance with members such as Microsoft and the ICANN.  Moreover, perhaps the most pragmatic mitigation solution implemented on a large scale so far, has been OpenDNS updated Stats System which automatically stops resolving Conficker's latest domains, a feature which they introduced last month.

For the time being, the Conficker botnet remains in a "stay tuned" mode with the real malicious payload to be delivered at any particular moment. A patch has been available since October, 2008.

Conficker graph courtesy of Microsoft's Malware Protection Center.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Problem: unsupported Microsoft OS's aren't patched.

    Microsoft hasn't patched anything older than Win2k. Those systems will be infected for all eternity. (And yes Virginia, some of them will still be on the internet 10 years from now).
    Programmer1028
    • You are partially correct..

      XP is by far the largest unpatched OS out there. Corresponding to the largest area of unpatched OS being Asia and the MiddleEast. Corresponding to the largest area of "pirated" Windows on the planet.
      You see a correllation, they are using the known issues of Pirated software to futher their botnet and stregthen their attack.
      This again is why you dont see OSX attacks. OSX just cannot give them strength to attack sites.
      CrashPad
      • Nope

        Pirates have no problems getting the latest super expensive versions for free. It's the law abiders that are stuck with old OSs.
        AzuMao
  • RE: Conficker worm to DDoS legitimate sites in March

    Ok - if several phoneback locations have been pre-empted, Is is legal to send an uninstall comand to the worm from the site dialed into? For the known DDoS sites coming up I would think it is in their right to take corrective action against those systems participating in that attack. You dialed to me for instructions, here are the instructions - uninstall yourself.
    zclayton2
    • Well you need to get with the Worm developers

      and demand they make uninstallers first :)

      They do not want there code removed :)
      mrlinux
    • Except that,

      obviously, they aren't taking commands from the target domains. They're just raping them to hell and back.
      AzuMao
  • RE: Conficker worm to DDoS legitimate sites in March

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut