Conficker update calls home more stealthily

Stephen Withers
Friday, 13 March 2009 10:18

Your IT - Home IT

A new version of the Conficker (aka Downadup) worm is working around attempts to stifle its activity by dramatically increasing the number of domain names used to call home for fresh instructions.

Conficker uses a system of programmatically-determined and time-dependent domain names in an attempt to ensure that an infected machine can reconnect with a control server.

Malware such as Conflicker uses control servers to provide fresh instructions and updated software to systems in the botnets.

Earlier versions of Conficker generated 250 possible domain names per day, and attempted to contact all of them. An informal group led by Microsoft and involving domain registrars, security companies and others have been taking up these domains before the people behind Conficker can register them.

The latest version generates 50,000 domain names per day, though any particular instance makes a random selection of 500 names from that list and attempts to contact servers with those addresses.

It also takes steps to conceal its activity. Where the original Conficker issued DNS queries at five-second intervals, the revised malware waits a random period between 10 and 50 seconds. The absence of a simple pattern makes it less likely that the activity will be detected by automated tools.

In addition, the changes mean that Conficker now only makes up to 500 DNS queries per day compared with the previous 3000.

What about the collateral damage done to domains that happen to match the names generated by Conficker? See page 2.