March 02, 2009

Conficker worm targets legitimate travel site

The website for a major commercial airline, along with a number of other legitimate sites, could face downtime due to the Conficker worm, a researcher said Monday.

Some 10 million computers worldwide have been infected by Conficker (a.k.a Downadup) and joined into a botnet. Each zombie machine is programmed to check in with approximately 250 URLs each day for more instructions, although there have yet to be any.

A few of these domains -- including a site that redirects to the official website of Southwest Airlines -- actually are legitimate web destinations, researcher Mike Wood wrote in a post on the SophosLabs blog. That means that certain URLs could be overwhelmed by queries. In the case of Southwest, the compromised machines were set to contact the site on March 13.

Sophos has contacted the owners of the legitimate domains, and as of Monday the Southwest Airlines site was unavailable. A request for comment to Southwest was not returned on Monday.

Microsoft is leading a coalition to disarm the pernicious worm, using reverse-engineered code that enables researchers to register the generated domain names before the bot herders can.

But legitimate domains that correspond to the call-home lists Conficker generates have two major problems,
Wood said.

“First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services," he said. "Second, those millions of Conficker-infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.”

Unless the worm is defeated, its menace could continue for a long time, Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com.

“Conficker will continue to carry on and create domain names in its effort to find instructions on what to do next,” he said. “Right now it's running like a robot with no instructions – it's waiting for new commands. It's desperate for them, but none have been given to it yet.”

The worm generates a target list by looking at the current date and time and running a "deterministic domain generation" algorithm that works out a random name. The zombie machines look for instructions each day and even if there are no instructions on a given site, it still gets heavy traffic -- relatively few sites can handles 10 millions hits per day.

“In the old days, worms would only query a single site for instructions,” Cluley said. “That makes it easy for the authorities to shut down the site. With Conficker, there is a new list of names every day.”

Related Articles
Related Topics
close

Next Article in News

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.