Threat Management, Incident Response, Malware, Patch/Configuration Management, TDR, Vulnerability Management

Conficker worm targets legitimate travel site

The website for a major commercial airline, along with a number of other legitimate sites, could face downtime due to the Conficker worm, a researcher said Monday.

Some 10 million computers worldwide have been infected by Conficker (a.k.a Downadup) and joined into a botnet. Each zombie machine is programmed to check in with approximately 250 URLs each day for more instructions, although there have yet to be any.

A few of these domains -- including a site that redirects to the official website of Southwest Airlines -- actually are legitimate web destinations, researcher Mike Wood wrote in a post on the SophosLabs blog. That means that certain URLs could be overwhelmed by queries. In the case of Southwest, the compromised machines were set to contact the site on March 13.

Sophos has contacted the owners of the legitimate domains, and as of Monday the Southwest Airlines site was unavailable. A request for comment to Southwest was not returned on Monday.

Microsoft is leading a coalition to disarm the pernicious worm, using reverse-engineered code that enables researchers to register the generated domain names before the bot herders can.

But legitimate domains that correspond to the call-home lists Conficker generates have two major problems,
Wood said.

“First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services," he said. "Second, those millions of Conficker-infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.”

Unless the worm is defeated, its menace could continue for a long time, Graham Cluley, senior technology consultant at Sophos, told

“Conficker will continue to carry on and create domain names in its effort to find instructions on what to do next,” he said. “Right now it's running like a robot with no instructions – it's waiting for new commands. It's desperate for them, but none have been given to it yet.”

The worm generates a target list by looking at the current date and time and running a "deterministic domain generation" algorithm that works out a random name. The zombie machines look for instructions each day and even if there are no instructions on a given site, it still gets heavy traffic -- relatively few sites can handles 10 millions hits per day.

“In the old days, worms would only query a single site for instructions,” Cluley said. “That makes it easy for the authorities to shut down the site. With Conficker, there is a new list of names every day.”

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.