Friday, 13 March 2009 11:18

Conficker update calls home more stealthily

A new version of the Conficker (aka Downadup) worm is working around attempts to stifle its activity by dramatically increasing the number of domain names used to call home for fresh instructions.

Conficker uses a system of programmatically-determined and time-dependent domain names in an attempt to ensure that an infected machine can reconnect with a control server.

Malware such as Conflicker uses control servers to provide fresh instructions and updated software to systems in the botnets.

Earlier versions of Conficker generated 250 possible domain names per day, and attempted to contact all of them. An informal group led by Microsoft and involving domain registrars, security companies and others have been taking up these domains before the people behind Conficker can register them.

The latest version generates 50,000 domain names per day, though any particular instance makes a random selection of 500 names from that list and attempts to contact servers with those addresses.

It also takes steps to conceal its activity. Where the original Conficker issued DNS queries at five-second intervals, the revised malware waits a random period between 10 and 50 seconds. The absence of a simple pattern makes it less likely that the activity will be detected by automated tools.

In addition, the changes mean that Conficker now only makes up to 500 DNS queries per day compared with the previous 3000.

What about the collateral damage done to domains that happen to match the names generated by Conficker? See page 2.

Once a Conficker instance manages to contact a control server and download fresh instructions, it waits three days before trying to call home again.

So while there's less chance of a particular instance contacting a server on a given day, there's presumably a greater chance that it will succeed in calling home before it is removed from the host system - unless the anti-Conficker forces are able to take all 50,000 domains out of the available pool each day.

Mike Wood of security software specialist Sophos's Canadian operation has pointed out that a side effect of the change is that it should cause less collateral damage.

Sophos previously warned that some of the domains generated by Conficker correspond to genuine web sites that could be overloaded by millions of requests from infected PCs.

But with around 3 million Conficker infections, only 30,000 or so will try to contact any particular domain.

Wood says that would only mean an extra 21 requests per minute, and "If your site cannot handle that level of additional traffic, you might be in the wrong business."

Researchers at SRI International's Computer Science Laboratory said they have not "seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants [of Conficker] since the Storm outbreak of 2007."


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments