Subscribe to RSS Feed

03|24|2009 03:22 pm EDT

.UK and .CA Registries Preparing For Conficker C Worm

by Chad Kettner in Categories: Registries

According to recent reports, the Conficker C worm – a malicious program that allows a master computer to take control of “zombie” PCs – will be active again on April 1, 2009. The news has domain name registries – such as Nominet for .uk and CIRA for .ca – increasing security measures for their domain name registration process.

The original version of the virus, Conficker A, was released in late 2008 and quickly spread to over 15 million PCs. It then used 32 daily generated web addresses (out of a pool of 250 domains) as the means of communication between the master computer and the zombies and attempted to sell fake antivirus software to computer users.

While the initial infections were serious, they haven’t spawned many symptoms up to this point. However, the Conficker C worm is expected to create a much larger impact, with BBC reporting that the C variant will randomly select 500 domain servers each day from a pool of 50,000.

Nominet, the registry operator for .UK, stated in an email announcement that they are implementing an additional temporary operational step in their domain name registration process:

“As of today, it is possible that a very small number of new domain name registrations will be manually referred. In such cases registrars will not be prevented from registering the domain name, but may experience a short delay before the registration is accepted.

Although this measure will only affect a low volume of domain names we wanted to ensure that registrars are aware of the extra security step we are taking in this instance.”

Along the same lines, CIRA – the operator of the .CA registry – also announced that it is prepared to counter the Conficker C worm:

“CIRA has put in place a plan to counter this potential misuse of the dot-ca registry and to maintain its integrity as one of the most secure and robust domains in the world…

…CIRA’s efforts include pre-emptively registering and isolating previously unregistered dot-ca domain names expected to be generated over the next 12 months by Conficker C. This move, which covers the vast majority of affected names during that period, will prevent registration of those domains by undesirable actors. In the small number of cases where the domain name has already been registered, CIRA will actively investigate and monitor activities at those domains and take appropriate action if suspicious activity is detected.”

Experts are unsure as to what the worm’s author is planning to do with the virus this time around, although CNN explains that there are plenty of risks: “the program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information…[or more likely] the virus may try to get computer users to buy fake software or spend money on other phony products.”

Microsoft has issued a $250,000 bounty to catch the worm’s creator and there is a group of security researchers, “the Conficker Cabal”, searching for leads – but there is nothing concrete at this time.

[via Bill Thompson of BBC]

Tags: , , , , , , ,

7 Comments

Brandon T

March 25, 2009 @ 12:17 am EDT

Do we know what this virus needs to trigger on 4/1/09? If the Virus is set to go off at 4/1/09 Midnight, What if Microsoft just sends a PATCH to computers to make the calendar “Skip” from MARch 31, to April 2nd, and then keep the date/time at April 2nd until the REAL april 2nd comes. My Guess is the trigger for this worm is the date/time 04/01/09 12:00:00am….so lets make the computers skip 04/01/09 12:00:00? Or is this worm so perfect that it would notice?

St├ęphane Bortzmeyer

March 25, 2009 @ 4:19 am EDT

Brandon T: it won’t work, the Conficker worm connects first to various well-known Web servers such as yahoo.com and checks the date they announce (in the HTTP headers) so you cannot trick it.

Acro

March 27, 2009 @ 12:03 am EDT

ESET NOD32 or any other top antivirus software will take care of this. The zombie machines the worm controls are unprotected – a bad choice in today’s open Internet.

[…] Conficker C worm is expected to wreak havoc, with the BBC reporting that the new strain will randomly select 500 domain servers […]

caffeine head

March 31, 2009 @ 11:59 pm EDT

here’s hoping that Conficker amounts to nothing more than an April Fool’s prank

dan

April 1, 2009 @ 9:33 am EDT

If this one is a april fools prank, why would the first 4 versions not be a prank. doesnt make sense to me. definately not an april fools joke.

micah

April 2, 2009 @ 8:41 pm EDT

my friend’s grandmaw’s computer got hit by the Conficker worm. it is terible1 it takes everything out of your computer and it shuts your computer down perminently! luckily McAfee will protect your computer from the Conficker worm.That is what my computer has.

RSS feed for comments on this post · TrackBack URI

Leave a Reply