It appears that Conficker phone-home domains aren't totally random. If you are flying on SouthWest Airlines, you better read on.
Mike Wood a security researcher for Sophos Labs has come up with some alarming news. He's been researching over 7750 phone-home domain names that Conficker infected computers will be attempting to connect with during the month of March.Southwest Airlines is affected
One of the domain names that he found was wnsux.com. It just so happens that wnsux.com is a domain name owned by Southwest Airlines. Southwest Airlines purchased the wnsux.com domain name to avoid negative publicity and redirect any wnsux.com inquiries to the airline's primary address southwest.com. Wood explains in his blog post titled Conficker Collateral Damage for March 2009:
"On March 13th, millions of machines infected with Conficker will be contacting wnsux.com for further instructions. They won't get any, but that may certainly disrupt the operation of southwest.com. A reputable travel and tourism site that wnsux.com (also owned by Southwest Airlines) redirects to."What potentially could happen
Wood goes on to explain the significance of being one of the unlucky domain name holders that turns up in the Conficker phone-home list:
"A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack."Other affected domain names
A list of actively used domain names was published by Wood and he has contacted the appropriate people to give them advance warning. The following list is a few of the domain names that will be affected within the next few weeks:
- 08 March ...jogli.com...Big Web Great Music
- 13 March...wnsux.com...Southwest Airlines
- 18 March...qhflh.com...Women's Net in Qinghai Province
- 31 March...praat.org...Praat: doing phonetics by computer
Southwest Airlines is fortunate, all they need to do is stop resolving wnsux.com to southwest.com for a few days. Others may not be using redirection and that makes the solution a bit more difficult. Wood explains how filtering may be effective:
"Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that your site does not currently use a "search" page and the filtering decision is made at a point along the network path that can cope with the load."Final thoughts
I've written how security analysts are very puzzled as to what tasks the developers have in mind for the Conficker-infected computers. As of now they are aren't doing anything, but trying to contact command and control servers. Come 08 March, we all will get a first-hand look at what these millions of infected computers are capable of. All aimed at a target that was randomly chosen.
I'd also like to thank MaximumPC for the use of their Conficker worm slide.
Need to know security issues and news delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!