Conficker to disrupt legitimate domains in March

The Conficker worm will be disrupting at least four legitimate domains in March according to a report from Sophos. Although the action taken last month by ICANN, Microsoft and many others to stop Conficker calling home is blocking domains that were unregistered, there are a number of legitimate domains who will, for one day at least, be called "home" by the worm. On those days, all the instances of the worm in the wild will attempt to connect to these domains, looking for new instructions or code, which could result in a denial of service for the owners and users of the legitimate sites.

On March 8th, jogli.com (Big Web Great Music), will be called "home" by Conficker, followed by wnsux.com (Southwest Airlines) on the 13th, qhflh.com (Women's Net in Qinghai Province) on the 18th and praat.org (Praat: doing phonetics by computer) on the 31st. The Sophos report notes that other less frequented domains are also in Conficker's path. The report suggests that sites which are on the list look at either not resolving their domain name on the date or filtering the HTTP query that Conficker uses (http://<domainname>/search?q=<N>). The former option requires the site already has an alternative domain name in place, so Southwest Airlines could just use southwest.com. The latter option only works if the sites do not already have a search page mapped to /search and have a filtering mechanism which could take the expected load.

Microsoft, Icann and the other companies involved in blocking Conficker, also known as the Conficker Cabal, have been registering all the domains that were not registered which are in the path of Conficker's domain generation algorithm. However, SophosLabs notes there are a number of domains in Conficker's path which are already registered, parked and available for sale. The Cabal cannot easily move to block these domains as they are already registered to a third party.

(djwm)