Subscribe to RSS Feed

03|24|2009 03:22 pm EDT

.UK and .CA Registries Preparing For Conficker C Worm

by Chad Kettner in Categories: Registries

According to recent reports, the Conficker C worm – a malicious program that allows a master computer to take control of “zombie” PCs – will be active again on April 1, 2009. The news has domain name registries – such as Nominet for .uk and CIRA for .ca – increasing security measures for their domain name registration process.

The original version of the virus, Conficker A, was released in late 2008 and quickly spread to over 15 million PCs. It then used 32 daily generated web addresses (out of a pool of 250 domains) as the means of communication between the master computer and the zombies and attempted to sell fake antivirus software to computer users.

While the initial infections were serious, they haven’t spawned many symptoms up to this point. However, the Conficker C worm is expected to create a much larger impact, with BBC reporting that the C variant will randomly select 500 domain servers each day from a pool of 50,000.

Nominet, the registry operator for .UK, stated in an email announcement that they are implementing an additional temporary operational step in their domain name registration process:

“As of today, it is possible that a very small number of new domain name registrations will be manually referred. In such cases registrars will not be prevented from registering the domain name, but may experience a short delay before the registration is accepted.

Although this measure will only affect a low volume of domain names we wanted to ensure that registrars are aware of the extra security step we are taking in this instance.”

Along the same lines, CIRA – the operator of the .CA registry – also announced that it is prepared to counter the Conficker C worm:

“CIRA has put in place a plan to counter this potential misuse of the dot-ca registry and to maintain its integrity as one of the most secure and robust domains in the world…

…CIRA’s efforts include pre-emptively registering and isolating previously unregistered dot-ca domain names expected to be generated over the next 12 months by Conficker C. This move, which covers the vast majority of affected names during that period, will prevent registration of those domains by undesirable actors. In the small number of cases where the domain name has already been registered, CIRA will actively investigate and monitor activities at those domains and take appropriate action if suspicious activity is detected.”

Experts are unsure as to what the worm’s author is planning to do with the virus this time around, although CNN explains that there are plenty of risks: “the program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information…[or more likely] the virus may try to get computer users to buy fake software or spend money on other phony products.”

Microsoft has issued a $250,000 bounty to catch the worm’s creator and there is a group of security researchers, “the Conficker Cabal”, searching for leads – but there is nothing concrete at this time.

[via Bill Thompson of BBC]

Tags: , , , , , , ,

Leave a Reply