Conficker may bring commercial web sites to their knees

Stephen Withers
Monday, 02 March 2009 06:21

Business IT - Networking

One of the most notorious pieces of recent malware is set to cause collateral damage to commercial web sites.

It's common for malware to connect to a control server to get fresh instructions. That might be as simple as a new template for a spam campaign, or to collect fresh code.

But what if the server gets taken down, as happened to McColo?

One trick is to arrange for the malware to look to a different domain if it is unable to contact its controller for a certain period.

If those backup domain names were hardcoded, it would be all too easy to block them, or have them taken down before any harm could be done.

So a bright spark came up with the idea of algorithmically-generated domain names. The domains could be registered just in time, and security specialists would be kept on the hop.

You could even arrange for the malware to 'phone home' to a different domain each day. And that's what Conficker does.

Well, the theory is that this would present a challenge to the anti-malware forces.

In practice, security researchers are able to analyse this function as easily as any other. And a coalition of ISPs and other players has been registering the domains Conficker will try to use before the worm's backers can get hold of them.

But Sophos has determined that a small number of the 7750 domain names that Conficker will try to use during March correspond to real and active web sites.

That's the problem with generating semi-random strings: every now and then you'll get a real word, a set of initials, or a made-up name.

Which companies are likely to suffer a Conficker collateral DDoS attack this month? See page 2.