back to article Conficker call-backs threaten to swamp legit domains

The infamous Conficker worm is set to disrupt the operation of at least four legitimate websites this month. Machines infected with Conficker (Downadup) are programmed to dial home for updates through a list of domains which changes every day. Microsoft is heading an alliance to block unregistered domains on this list but that …


This topic is closed for new posts.
  1. Colin Millar

    So update it then

    If the infected machines call-in looking for an update they are inviting that domain to make changes to their machine - why not provide them with an update that kills the worm?

  2. Dave


    Surely the thing to do is agree with one of these websites to host a package that, if downloaded, would clean up the Conficker installation on the infected machine. That way they can at least reduce the number of infected machines out there.

    I guess US liability laws stop them doing it, lest one of the machines crashes (even though it serves the owner right) due to the clean-up.

  3. John Macintyre

    @So update it then

    Bravo! Bravo! Finally a smart idea! I'm sure all those in M$ and Sophos and the hundreds of other virus tools out there are kicking themselves that they didn't come up with that one since it first appeared in November.

    Perhaps it's not that simple? Reverse engineering a virus isn't like feeding a hamster. I'd imagine they've tried this and couldn't get the system to update, or they don't know how to disable it by doing so. Or the update tool might not be something that can be updated, so it always runs regardless of what each update is. The virus writer probably thought, just in case one or two cases get compromised, he can supply an alternate update on a later date to override this.

    Or each time they find a way to 'update' it he changes it before they can fix it. It might only allow updates from that generated address, which isn't so easy since you'd have to wait for the timeslot, own the domain etc etc. It's a bit like tracking down WMD really, only without the ability to obliterate it without any real evidence of a fix being ready

  4. Keith T. Grey, Sr.

    Identify infected machines?

    Seems to me that having a known date of attack and known target is an ideal opportunity to log the IP addresses of the actual infected hosts. Since the http request has been identified, the botnet boxen can be singled out from legitimate users. Then the target sends the info to the ISPs with a legal request to stop providing the means of the attack. The ISPs for the botnet hosts should notify the account holders that their computers are now part of the problem -- clean up or be blocked from the 'Net.

    Hope I don't offend anyone by implying ISP should actually ACT on this problem, or that -- horrors! -- computer owners be held responsible for their own negligence! One would think that knowingly being part of a botnet would render a party legally responsible just like failing to confine a vicious dog to the backyard.

  5. Alex Brett

    Re: Anti-virus?

    It's not just liability laws in the US, in the UK for example it would be a breach of the computer misuse act, as you are causing unauthorised modification of of the contents of a computer, with intent to impair operation of a program (even if the program is malware in the first place!)

  6. Anonymous Coward
    Jobs Halo

    It is time...

    for ISP's to disconnect infected parties until they clean up their computers. There are a lot of muppets around and they should pay the price by being disconnected.

  7. GottaBeKidding

    @So update it then

    It's not possible to update the worm without having the author's / herder's private key. The worm checks the validity of control messages before it executes them.

  8. Richard Porter
    IT Angle

    @So update it then

    Why not just send an update that disables the machine e.g. by looping, until the delinquent owner gets it fixed?

  9. Graham Cluley

    Why we don't install an anti-Conficker on those websites

    I'm afraid that it would be against the law - under the Computer Misuse Act - for us to change the visiting infected computers without the owners' permission.

  10. Lionel Baden


    This cold be a usefull way around the hacking laws not allowing them to send a bug round to clean up the bug ...

    If they know where it is going to strike, they can leave their payload their.

    obviously only with permission from the host. where as they are legally hosting a config file(there is no law aginst that) and a botnet that is already illegal connects to said adderes

    woops did we leave that there !!!#

    but anyway can we have a poll before friday for wether people will think it will actually get used ..

    i reckon its gonna take down

  11. Andrew
    Thumb Down

    Re. Update it

    Not as easy as you might think. The report referenced in a Reg article a mere week ago ( ) suggests that there's some clever enough encrypted signature verification at work to ensure that only updates by the original virus' authors will be accepted and processed.

  12. Alan W. Rateliff, II
    Paris Hilton

    Couple of points re: So update it, and Identify

    First, the updates are "signed" by private key encryption. The public key is in the worm binary itself, but the private key is, well, private and only held by those responsible.

    As for identifying infected machines, I was thinking the same thing. This is a perfect opportunity to set up filtering which would identify the estimated 9m+ machines infected with the worm. At the very least, this would seem to provide a fairly accurate head-count. Good opportunity for the Feds, I would think.

    Of course, holding individuals and ISPs responsible for this outbreak is pure rubbish. All of us are victims. Follow the trail back far enough and along the way you will find the virus writers' parents are at fault, but only because of a lack of a relationship with their siblings. But that, of course, is the result of an overbearing parental structure, which was, in turn, the result of puritanical views of child-rearing prevalent in the local culture. Go back far enough and you can probably blame God.

    Is that it? In our new culture of victimization and self-perpetuating mediocrity, is everything God's fault? Ultimately, are we all victims of God's lack of competency or action against Evil? My word, what will they think of next? (And Holy Carp, I went a long way for that one!)

    Paris, I blame God.

  13. Kanhef

    @Colin Millar et al

    This has been debated to death already. It sounds like a good idea, but would be illegal as an act of computer intrusion. They'd also be liable for any and all damage it causes. With millions of infected machines, anything you write is all but guaranteed to screw up on some of them.

  14. Mark


    mark@beaker:~$ ping

    ping: unknown host

    mark@beaker:~$ ping

    ping: unknown host

  15. Paul

    Outside the US/UK

    Surely Obama or one of his minions could give immunity to prosecution to some security professionals to do this? After all in this case there is no perfect way of stopping this infection so its a case of someone with clout deciding which is worse 9 million infected machines around the world or some of those falling over when they are remotely cleaned?

  16. Anonymous Coward

    @Kanhef I like the idea of identifying infected machines and contacting the owners, perhaps even cutting them off!

    Whilst it won't get all of them, and it's only one infection out of many, it might *just* serve as a wake up call to people that "t'internet" is the electronic Wild West, and not a place to meander around unprotected and not expect to get mugged in some way!

  17. Anonymous Coward

    I blame microshaft

    Since virtually all of this runs off systems running their software. The sad part if that they COULD actually fix this if they were to have written any version of windoze properly....

    (1) you only are allowed to install into your own program files folder

    (2) you maynever create hidden files

    (3) you may never create rootkits

    (4) you may never update anything in widoze folder

    (5) you may never update the registry (worst idea, EVER)

    (6) you may only execute in your own little sandbox

    (7) you may not access the internet without permission of the firewall

    I dibs IP on all this

  18. Pierre

    Blacklisting, a problem? Sheesh...

    Basically this guy says "we know these are legit domains, but we'll blacklist them anyway, which is kind of a problem for them".

    Well, why don't you just let them go then? If they are legit domains, the worm can't use them anyway.

    Now the DDOS attack-like risk is still real, though the big guys can probably cope with a few million connections over a few hours, even if they have to bring their sites down for that period. Hardly the end of the world. Especially if they know about it in advance.

    Sheesh, security guys sure do love to make up phoney problems these times.

  19. Anonymous Coward


    (Insert appropriate pun here)

  20. kain preacher

    I blame microshaft

    Some one might take you serious

    (4) you may never update anything in widoze folder

    (7) you may not access the internet without permission of the firewall\

    Wait unless you are an Internet consultant .

  21. Pete
    Paris Hilton

    I Have the Phix!

    Just insert some global govt interstitial Ads into said http requests, so that the evil botmaster gets some social reprogramming, all paid for by advertisers.

    The software to do this is phucking called "Ph**m" mate, you can get it on torrents :-)

    Mines the long coat with unbreakable encryption on the pockets, and a tin-foil hood.

    Paris, cos she can lick my .conf anyday.

  22. Anonymous Coward
    Anonymous Coward

    Drop the domain.

    Im guessing that domain really isnt much use. So why not just disconnect it from the servers for a couple of days then just bring it back after the 13th. No crashed servers then

  23. mark Silver badge
    Paris Hilton

    why not stop it upadting

    Where is this list that tells it what to do next?

    and why arnt the police kicking its door down????

    paris, cos i'm obviously missing something

This topic is closed for new posts.

Other stories you might like