Southwest Airlines targeted by Conficker Worm

by Steve Ragan - Mar 1 2009, 17:35

One of the functions within the code of the Conficker Worm is the ability to generate a list of domains to call out to and check for new code or instructions. One researcher has discovered legitimate domains being produced by the algorithms. Could this mean Conficker will trigger random Denial of Service attacks? If so, then on March 13, 2009 Southwest Airlines might see some network problems.

Southwest Airlines has been targeted, at random, by the Conficker Worm. According to a researcher from Sophos, the random URL generation function within the code has generated several sites that are legit, potentially subjecting them to issues, possibly even Denial of Service, when the millions of infected systems call home and connect to the URL.

Completely self contained, Conficker uses Google, Yahoo, Ask, and other search engines to check the date. Once the date has been obtained, a list of domains is then generated and used to either download more Malware or update the Worm itself.

"The Worm generates the domains it looks for updates [on] based on the current date. It first connects to a site to learn the current date and generates domain names based on an algorithm that takes into account the current date," BitDefender explained to The Tech Herald in an interview last month.

So far, aside from scattered reports of additional downloads of rogue anti-Virus software, Conficker has neither received or updated itself using its domain auto generation features. There have been no reports of legit sites being targeted either, so if it does happen this would be the first for the Worm discovered late last year.

MikeW, posting on the Sophos Blog, said that he discovered twenty-eight domains that are legit, working domains that Conficker will connect to. However, of those most of them are the “For Sale” varieties, so there is little damage. The domains listed that are at risk include oraat.org (March 31), qhflh.com (March 18), jogli.com (March 8) and on Friday March 13, 2009, wnsux.com, which belongs to Southwest Airlines.

“If you have a flight booked with Southwest Airlines on Friday March 13th, you may have difficulty checking in online… that’s when the Conficker worm will be calling it home,” Mike wrote.

“Other, less frequented, sites of interest that appeared in the list include ‘The Tennesse Dogue De Bordeaux’ dog breeders’ site (tnddb.com, March 14) and the coy “Double Super Secret Message Board” site (dssmb.com, March 11)… dogs and secrets won’t be moving too well on those days,” he added.

The domain, wnsux.com, is maintained on the same network as Southwest.com. As you can see below, the domain is points directly to the same IP classes. This is because the domain was bought around 2001 by Southwest.

[Note: A Records map a hostname to an IP address of the host. PTR records are pointer records used for reverse DNS lookups. In this example the wnsux.com domain is pointed to Southwest’s servers. Traffic to that domain will forward over to the southwest.com domain.]

It appears that Southwest owns the domain to keep people from talking bad about them online, as when you visit the domain you are told, “Southwest Airlines strives to maintain a high level of Customer Service and is proud of its corporate reputation and responsiveness to its Customers. As part of that effort, Southwest wants to control the release of inaccurate and irresponsible information about the Company via the Internet.”

There are other domains on the same network, each potentially negative, but none at risk from being randomly generated by Conficker. For example, the domains ihatesouthwest.com, ihateswa.com, wnsux.net, swasux.com, swasuks.net, and southwestbytes.net are all pointed to the same IP.

Now the question is, will Southwest or any of their customers suffer because of all that traffic? According to estimates from Friday, there are just over 2.5 million computers infected. That level of traffic could cause some issues to any website, let alone one that is made for high-volume traffic.

There is some good news. First, Southwest was made aware of the issue by Sophos. Moreover, the domain singled out by Sophos, is also on the list of domains that Microsoft released. This means, if their administrators were already blocking traffic, then they might have prevented issues a long time ago.

The risk of Conficker’s random domain generator targeting legitimate sites is real. Some sites, like the smaller ones mentioned as well as the server they are hosted on, will suffer if millions of connections hits them over the span of a few hours. That much is fact.

However, there are ways to prevent damage, and most network operators have been working on this for a while now. The problem is that with the B++ variant of Conficker working to make the domain generation moot, there are larger issues to investigate.

The researchers from SRI who discovered B++ said that, “Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.”

If the creators of the Worm have figured out a way to make a better mouse trap, then predicting the domains that Conficker uses is useless. What would be worse in this case would be a flash update to the B++ variants that triggered the earlier Conficker infections to update as well, with new instructions, new payloads, and an actual game plan once the infection is confirmed.

Maybe this is a nightmare scenario called Conficker C++.

The Tech Herald: Conficker variant emerges online – Conficker B++

The Tech Herald: Facts and information on the Conficker Worm

The Tech Herald: Do you use any of these passwords? Change them if you do

The Tech Herald: Microsoft dangles $250,000 carrot for capture of Conficker creator

Around the Web