Conficker worm targets legitimate travel site

Share this article:

The website for a major commercial airline, along with a number of other legitimate sites, could face downtime due to the Conficker worm, a researcher said Monday.

Some 10 million computers worldwide have been infected by Conficker (a.k.a Downadup) and joined into a botnet. Each zombie machine is programmed to check in with approximately 250 URLs each day for more instructions, although there have yet to be any.

A few of these domains -- including a site that redirects to the official website of Southwest Airlines -- actually are legitimate web destinations, researcher Mike Wood wrote in a post on the SophosLabs blog. That means that certain URLs could be overwhelmed by queries. In the case of Southwest, the compromised machines were set to contact the site on March 13.

Sophos has contacted the owners of the legitimate domains, and as of Monday the Southwest Airlines site was unavailable. A request for comment to Southwest was not returned on Monday.

Microsoft is leading a coalition to disarm the pernicious worm, using reverse-engineered code that enables researchers to register the generated domain names before the bot herders can.

But legitimate domains that correspond to the call-home lists Conficker generates have two major problems,
Wood said.

“First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services," he said. "Second, those millions of Conficker-infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.”

Unless the worm is defeated, its menace could continue for a long time, Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com.

“Conficker will continue to carry on and create domain names in its effort to find instructions on what to do next,” he said. “Right now it's running like a robot with no instructions – it's waiting for new commands. It's desperate for them, but none have been given to it yet.”

The worm generates a target list by looking at the current date and time and running a "deterministic domain generation" algorithm that works out a random name. The zombie machines look for instructions each day and even if there are no instructions on a given site, it still gets heavy traffic -- relatively few sites can handles 10 millions hits per day.

“In the old days, worms would only query a single site for instructions,” Cluley said. “That makes it easy for the authorities to shut down the site. With Conficker, there is a new list of names every day.”

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.