Several registries are taking measures against the Conficker C virus. The virus is programmed so that it will try to contact his creator through constantly changing domain names under 110 ccTLD’s (country code Top Level Domains). With the previous version of the virus we were talking about 250 domain names per day, with new C variant we’re talking about 50.000 domain names per day. Meanwhile a list, containing domain names the virus might possibly use, has been composed.
This list could be composed because there has been figured out which algorithm the virus uses to contact his creator every day. Every new domain name, which is registered by the virus, is somehow linked to the date on which the name is registered. In the most simple example the virus would try to visit 1april2009.be on April 1st. The creator of the virus could register this domain name and leave a message with further instructions for the virus. Of course, it ain’t that simple but through all kinds of mathematic formulas, one has been able to discover a certain pattern in the names the virus will try to register. Like this, a list has been composed.
The Conficker virus itself works as a two-stage rocket. The first part of the virus is nestled worldwide on many Windows platforms that have a critical vulnerability because they haven’t been repaired by the patch of October 2008. The second phase, of which it isn’t exactly clear how it works, would follow around April 1st. The present information indicates that a kind of signed code would be implemented on websites. This would enable a further spread of the virus or the activation of other malicious things.
So now what? To prevent problems, several registries such as the .nl, .be, .ca and .co.uk registry, are already doing extra checks when someone registered a name, which also appears on the Conficker C list.
SIDN (.nl registry) and Nominet (.co.uk registry) are taking approximately the same measures. If one of the names on the list is registered, the application will be checked manually by the registry. If the application is considered ‘suspicious’ the registrar will be contacted to have a closer look.
CIRA (.ca registry) is already isolating all the names that could be possibly registered by the virus within the next 12 months. The names that appear on the list and might already been registered will be checked further.
Next week, DNS.be (.be registry) will give more information about the measures they’re taking to combat the virus.
Posted under Uncategorized
This post was written by lieve on March 26, 2009