Why Web Site Security Matters to Us All
For the past several months, some of the sharpest minds in the security community have teamed up to block cyber criminals from wresting control over what may be one of the largest armies of hacked computers ever built. While those efforts are ongoing and so far appear effective, all of that work could be undone thanks to the lax security of a single Web site.
The scourge in question is the Conficker worm, a contagion that has infected tens of millions of Microsoft Windows machines since its birth in November. Experts figured out early on that Conficker was a two-stage threat because it tells infected systems to contact a list of 250 different domain names each day. If just one of those domains is registered by the virus writer, the thinking goes, it could be used to download an as-yet unknown secondary component to all infected systems, such as malicious software or spamming instructions.
As a result, this so-called Conficker Cabal of researchers and policymakers set about registering or otherwise reserving those domains that the Conficker-infected systems will seek for several months into the future, thereby preventing the Conficker authors from updating infected systems with the real payload.
Still, the cabal couldn't register all of those domains. In fact, many of them happen to have already been registered by (apparently legitimate) individuals or businesses. I bring this up because earlier this week, experts began raising the alarm that millions of Conficker-infected systems on March 13 would begin seeking updates from wnsux.com, a domain owned by Southwest Airlines. As speculation began to swirl around whether this might create problems for Southwest's Internet servers, the airline opted for the simple approach: effectively closing down the domain, if only temporarily.
But this scenario will play out many more times over the lifespan of this malware family, and experts expect it to remain a threat for years to come. Just because these domains are already registered or in use by seemingly legitimate businesses and individuals doesn't mean those domains are useless to the criminals looking to regain control over millions of Conficker-infested systems.
The reality is that those crooks would need only to find a single security hole in the software used to power those Web sites. At that point, they could then plant the update and the special encryption key needed to trigger that update in Conficker-infected systems that visit the site on the appointed day.
Hopefully, the cabal will continue to reach out to the owners of the domains that are already registered and ensure that any security holes are sewn up before those sites are sought out by the Conficker botnet. To me, this illustrates how vital it is that all Internet users -- even those who operate seemingly obscure Web sites -- understand the role they can play in helping to keep the Internet out of the hands of the bad guys.
Update, Mar. 8, 5:46 p.m. ET: As many in the security community have feared for some time now, a new version of Conficker has been detected that tells infected systems to seek updates from not just 250 potential domains but 50,000 different domains each day. More on this variant from Symantec.
March 6, 2009; 11:06 AM ET
Categories: From the Bunker , Web Fraud 2.0 | Tags: 2.0, conficker cabal, web security, worm
Save & Share: Previous: Twitter Security Hole Left Accounts Open to Hijack
Next: Users Complain of Mysterious 'PIFTS' Warning
Posted by: AlphaCentauri | March 7, 2009 10:09 AM | Report abuse
Posted by: stevel1 | March 9, 2009 12:51 AM | Report abuse
Posted by: firstname.lastname@example.org | March 9, 2009 3:47 AM | Report abuse
Posted by: bruce_mcculley | March 9, 2009 12:26 PM | Report abuse
The comments to this entry are closed.