Slashdot Mirror

← Back to Stories (view on slashdot.org)

.CA Registrar Trying To Preempt Conficker

Posted by timothy on from the circling-the-wagons dept.

clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"

12 of 227 comments (clear)

  1. Hrm by Niris · · Score: 5, Interesting

    Am I the only one hoping this thing turns out HUGE? It'd be interesting to see what happens.

    1. Re:Hrm by toonces33 · · Score: 5, Interesting

      Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining. I am of the opinion that the internet is dying, precisely because of stuff like this. It just gets worse and worse every year, bandwidth requirements for spam and other garbage keep climbing, and nobody has a plan for how to shut these things down once and for all.

  2. I feel left out... by erroneus · · Score: 5, Funny

    My wife runs MacOS and I have my Linux... I really wish I could get involved in the party. Will Cornfucker run under Wine?

    1. Re:I feel left out... by erroneus · · Score: 4, Funny

      Oh your elitist, mob-rule attitude is not helpful. Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X came with her machine and my computer did come with Windows installed on it but I didn't create the restore media before my machine was trashed with malware. So instead of buying software, I got free software. It works just fine though. Well enough to post here, view all sorts of porn that would have trashed my computers again if I were running Windows, and aside from playing games and DRM media, I can do anything I ever wanted to do.

      It is only during events like those created by cornfucker that I really begin to feel left out of the party.

    2. Re:I feel left out... by roaddemon · · Score: 4, Funny

      Oh the irony: "Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X..."

  3. Tactics? by nubsac · · Score: 4, Insightful
    It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

    It's like telling your enemy "Hey, I know where and when your going to strike"

    We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

    1. Re:Tactics? by qengho · · Score: 4, Informative

      It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

      Assuming English isn't your first language: "It never ceases to amaze me" is what you meant, i.e. "I'm always surprised."

  4. April Fools!!! by gsgriffin · · Score: 5, Funny

    is all the worm pops on the screen and does. Now how much money did you spend trying to ward off this script? That will be the real joke.

    --
    jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
  5. Re:ugh by Plutonite · · Score: 4, Insightful

    Look, we don't hate you for what you write - it may well be true. It just has nothing to do with this story, OK? It really is offtopic. In fact I agree with a lot of what you wrote (and disagree with some twisted facts too) but I think the moderators are right modding you down to hell, and maybe banning your IP range. You are annoying people. Annoyed people don't listen. Find a forum to discuss this in a sane way and people might listen.

  6. Helps, but not much ... by kbahey · · Score: 4, Informative

    I saw the article today on CBC (Canada's equivalent of the BBC).

    This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.

    Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.

    Also, the article contains some inaccuracies:

    "... expected to launch its attack once the system date on an infected machine is on or after April 1, 2009".

    Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking

    "... will try to generate and connect to 50,000 web URLs a day ..."

    It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm.

    I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
    1. Re:Helps, but not much ... by Dr.+Cody · · Score: 5, Funny

      I saw the article today on CBC (Canada's equivalent of the BBC).

      Well, that would certainly explain the "C," wouldn't it?

  7. Seems like a futile attempt by billcopc · · Score: 4, Insightful

    It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.

    What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.

    Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...

    --
    -Billco, Fnarg.com