Conficker Collateral Damage for March 2009

Filed Under: SophosLabs

If you have a flight booked with Southwest Airlines on Friday March 13th, you may have difficulty checking in online -- that's when the Conficker worm will be calling it home.

To clarify, before outright blocking the 7750 Conficker call-home domains for the month of March, I dug into the giant list to see if the deterministic domain generation algorithm hit any existing non-malicious domains.

And good thing I did -- on March 13th, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions -- they won't get any, but that may certainly disrupt the operation of southwest.com -- a reputable travel and tourism site that wnsux.com (also owned by Southwest Airlines) redirects to.

A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.

Digging through 7750 domains manually would be a bit ridiculous. Since we are still in February, I narrowed my search to domains that are currently active (ones that resolve to an IP address). A bit surprisingly, this only trimmed the search to 3889 domains (yikes!).

However, with a little grep-cut-sort-uniq magic, these +3900 domains actually resolved to a mere 42 unique IP addresses. Moreover, only a handful of these IPs make up the (c)overt operation of collaborating ISPs and network management organizations to thwart Conficker by pre-registering these call-home domains -- a total of 3861 of the active domains each resolve to this handful of IPs. That leaves a mere 28 domains to check -- now I can handle that.

Of those 28 domains, the vast majority are names currently up for sale which the registrar conveniently resolves to their main page suggesting that you buy it. One interesting domain up for sale is yakiimo.com -- the owners are asking a cool 3880 EUR for it -- not sure yet if being one of the March 20th 2009 Conficker domains will increase or decrease its value.

The key sites whose visitors may indeed see a disruption to their service include:

DOMAIN DESC ON DATE
jogli.com Big Web Great Music March 8
wnsux.com Southwest Airlines March 13
qhflh.com Women's Net in Qinghai Province March 18
praat.org Praat: doing phonetics by computer March 31

Other, less frequented, sites of interest that appeared in the list include "The Tennesse Dogue De Bordeaux" dog breeders site (tnddb.com, March 14) and the coy "Double Super Secret Message Board" site (dssmb.com, March 11) -- dogs and secrets won't be moving too well on those days.

One last domain turned out to be infected with Troj/Unif-B (site not listed here for obvious reasons) -- so I will go ahead and block that one all the same!

As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving wnsux.com to southwest.com for the day -- so long as that wouldn't hinder any of their operations. Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that (a) your site does not currently use a "search" page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load.

This is a bit trickier as HTTP is an application layer protocol -- a network connection must already be established before the two endpoints start speaking HTTP -- necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3-way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream.

In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.

Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call-home flood will carry a badge-of-honor in the network operations world.

I do know one thing for certain though... I'm glad sophos.com did not make the list.


UPDATE - March 3, 2009

Good news for those air travelers on March 13th -- Southwest Airlines have already taken action. Looks like the simple solution works fine for them -- wnsux.com no longer resolves to an IP address.

And for those considering the HTTP request filtering option, a colleague was kind enough to point out that Conficker resolves the call-home domain's IP address before making the request (thanks Bruce). Thus, the requests to be filtered will look like http://<ip-address>/search?q=<N> where <ip-address> is any IP the call-home domain resolves to.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s