GlobalFluency went on to offer an interview with an expert from a computer security firm that markets anti-virus software. Conficker. Conficker's true potential for damage and destruction is simply not known. A detailed background of the Conficker Worm - how it operates, signs of infection, and how to remove the conficker virus.
Conficker Collateral Damage for March 2. Naked Security. If you have a flight booked with Southwest Airlines on Friday March 1. Conficker worm will be calling it home. To clarify, before outright blocking the 7. Conficker call- home domains for the month of March, I dug into the giant list to see if the deterministic domain generation algorithm hit any existing non- malicious domains.
- The virus then starts finding ways to spread through local networks using brute-force techniques. Although the worm does not cause specific damage to your system. a fact that the Conficker worm has been designed to.
- Conficker; Aliases: Mal/Conficker-A; Win32/Conficker.A; Win32/Conficker.A; W32.Downadup; W32/Downadup.A. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
- Read details on the Conficker Worm infection and how to use our Free Conficker Removal Tool to remove the Conficker Worm from your computer.
- Talk:Conficker ↓ Skip to table of. About ways to deal with the Conficker virus. The release left millions of untagged machines infected with Conficker around the world, but no damage was done to them.
Conficker is now parading as an anti-virus program called Spyware Protect 2009. The worm takes users to a fake secuirty Web site, asks them to pay $50 for a spyware program that actually is the Conficker worm, then keeps your. Conficker Collateral Damage for March 2009. 0. those millions of Conficker infected machines contacting the domain on its given day may overload the site and. Virus Removal Tool. Antivirus for Linux.
And good thing I did — on March 1. Conficker will be contacting wnsux.
Southwest Airlines) redirects to. A legitimate domain that happens to make it into the Conficker call- home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services.
Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial- of- service attack. Digging through 7. Since we are still in February, I narrowed my search to domains that are currently active (ones that resolve to an IP address). A bit surprisingly, this only trimmed the search to 3.
However, with a little grep- cut- sort- uniq magic, these +3. IP addresses. Moreover, only a handful of these IPs make up the (c)overt operation of collaborating ISPs and network management organizations to thwart Conficker by pre- registering these call- home domains — a total of 3. IPs. That leaves a mere 2. I can handle that. Of those 2. 8 domains, the vast majority are names currently up for sale which the registrar conveniently resolves to their main page suggesting that you buy it. One interesting domain up for sale is yakiimo. EUR for it — not sure yet if being one of the March 2.
Conficker domains will increase or decrease its value. The key sites whose visitors may indeed see a disruption to their service include: DOMAINDESCON DATEjogli. Big Web Great Music. March 8wnsux. com. Southwest Airlines. March 1. 3qhflh. com.
Women’s Net in Qinghai Province. March 1. 8praat. org. Praat: doing phonetics by computer. March 3. 1Other, less frequented, sites of interest that appeared in the list include “The Tennesse Dogue De Bordeaux” dog breeders site (tnddb. March 1. 4) and the coy “Double Super Secret Message Board” site (dssmb.
March 1. 1) — dogs and secrets won’t be moving too well on those days. One last domain turned out to be infected with Troj/Unif- B (site not listed here for obvious reasons) — so I will go ahead and block that one all the same! As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving wnsux. Another option would be to filter out the Conficker HTTP requests of the form http: //< domain> /search? N& gt; , though this requires that (a) your site does not currently use a “search” page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load.
This is a bit trickier as HTTP is an application layer protocol — a network connection must already be established before the two endpoints start speaking HTTP — necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3- way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream. In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.
Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call- home flood will carry a badge- of- honor in the network operations world. I do know one thing for certain though… I’m glad sophos. UPDATE – March 3, 2.
Good news for those air travelers on March 1. Southwest Airlines have already taken action. Looks like the simple solution works fine for them — wnsux. IP address. And for those considering the HTTP request filtering option, a colleague was kind enough to point out that Conficker resolves the call- home domain’s IP address before making the request (thanks Bruce). Thus, the requests to be filtered will look like http: //< ip- address> /search?
N& gt; where < ip- address> is any IP the call- home domain resolves to.