Yesterday, the Conficker.c Windows worm was scheduled to change its behavior - and this family of malware did so. The worm now uses a list of 50,000 domains to check for new command-and-control instructions. Conficker didn’t crack the Internet in half, but the publicity about this worm has caused more users and system administrators to check and patch their computers. PC World’s article by Ian Paul titled Conficker D-Day Arrives: Worm Phones Home (Quietly) has more details.
One challenge is that this expanded list of domains includes valid web sites that have been hacked. When Conficker.c attacks a computer, it also attempts to edit that computers hosts file, which is usually empty on most residential computers. The hosts file is a leftover from the old days of the Internet - before the Domain Name System (DNS) existed, each computer had to have a complete list of addresses that it could contact. Today, computers still check the hosts file to see if a domain name is listed there. It’s used as a shortcut, as a DNS transaction will take more time to complete.
Conficker.c fills the hosts file with entries for major antivirus and software companies. These entries redirect the DNS request to other web sites, to block the user from downloading or using software to remove the malware infection. Simply blocking the Conficker domains isn’t appropriate, as some of these domains may be fixed soon. It’s also possible that some of these domains have nothing to do with Conficker at all. Of course, Conficker may update its list on a regular basis, in an effort to evade blocks.
Fighting back
OpenDNS is reporting at least 300 Conficker connection attempts per second on its domain name system.According to their analysis, computers in the US aren’t making most of these requests. The traffic is coming from Vietnam, Brazil, Philippines, Indonesia and Algeria - countries where broadband Internet service is available and software piracy is rampant. Pirated software usually doesn’t include a valid license for downloading or applying updates and patches that can stop malware infections.
As I mentioned in my previous articles, OpenDNS is a free service that, among other benefits, has been blocking Conficker and other malware for a few months now. With a free OpenDNS account, it’s very easy to see if your computers have been trying to access Conficker or malware domains.
See Neil Rubenking’s article called OpenDNS: title and the OpenDNS blog article titled Do you have Conficker? Find out in your OpenDNS account for more details.
Rubenking has another article (How to Tell if ‘Conficker’ Caught You, and What to Do) with links to a few tips and tests if you’re worried about Conficker.
One of these links is the Conficker Eye Chart, a page that residential users can load for a very quick scan of their system. The page tries to load images from servers that Conficker usually blocks. If some of the images won’t load, you’ve either got connection problems or a malware infection. If none of the images load, you may have turned off images in your browser - a time-honored trick for increasing browser speed. The test is not fool-proof, especially if you’re using a corporate or university network. This test doesn’t work if you’re using a proxy server.
Image courtesy of Oran Viriyincy through a Creative Commons license.
Related posts and pages on billso.com
- OpenDNS
- 28 March 2009: More about the Conficker/Downadup worm
- 24 March 2009: I’m on the Andy Bumatai show discussing the Conficker/Downadout worm
- 25 July 2008: Fixing the DNS security hole
- 15 January 2008: OpenDNS update
- 13 July 2007: Speed up your broadband connection with OpenDNS
