.CA Registrar Trying To Preempt Conficker 227
clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"
Re:Can't somebody just... (Score:3, Informative)
Helps, but not much ... (Score:5, Informative)
I saw the article today on CBC (Canada's equivalent of the BBC).
This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.
Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl [sri.com]. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.
Also, the article contains some inaccuracies:
Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking [sri.com]
It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm [sri.com].
I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.
Re:Tactics? (Score:3, Informative)
Yes, it should have been done quietly. Perhaps it is a PR thing "our .ca domains are not vulnerable"? Who knows.
As I >pointed out [slashdot.org] in another comment, the author(s) scan all the info about Conficker and then modify it to protect itself against the defenses. They did that by releasing the C variant to select domains out of a random number of 50,000 total, after the initial 250 got outed in B.
I bet that there will be a D variant shortly before April 1st, and it will have more defenses and convolutions.
Interesting to watch this unravel nonetheless.
Re:Tactics? (Score:5, Informative)
It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.
Assuming English isn't your first language: "It never ceases to amaze me" is what you meant, i.e. "I'm always surprised."
Re:Tactics? (Score:1, Informative)
He (or she or it) said (or typed) that he (or she or it) was a "grammer" nazi, not a "spelling" nazi. There are many different types of nazis in this world. Please learn to distinguish among them. Thank you for your cooperation.
Re:Seems like a futile attempt (Score:3, Informative)
On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.
It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; it can't stop it being decoded but it may be able to delay it past 1st April.
Even this little technique of generating domain names to check for update distribution points is very unusual.
All this does mean that people are worried. The botnet that exists has sufficient potential for damage in the hands of anyone but these people have shown an unusual level of technical skill for botnet builders and there is a clear danger that they have come up with a new and interesting use for the botnet.
All things considered it may be the best result if it's just being sold to a spammer for a few dollars a machine.
Re:Hrm (Score:2, Informative)
in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.
For us desktop and server technicians - Ka Ching !!