March 02, 2009, 11:09 AM — Computers infected by the Downadup worm will "phone home" to several legitimate URLs this month, including one owned by Southwest Airlines, potentially disrupting those sites, a security researcher said Sunday.
According to a researcher at Sophos Plc., the Downadup worm -- also known as Conficker -- will try to contact wnsux.com on March 13 for further instructions. That URL, however, is owned by Southwest Airlines, and redirects visitors to the airline's primary southwest.com address.
"On March 13, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions," said a Sophos researcher identified as MikeW in an entry on the company's blog . "They won't get any [instructions], but that may certainly disrupt the operation of southwest.com."
Once it has infected a PC, Downadup generates a list of 250 possible domains -- the list changes daily -- selects one, then uses that URL to reach a hacker-controlled server from which it downloads additional malware to install on the hijacked computer. The wnsux.com address is one of the 7,750 domains that the worm may use during March, said MikeW.
Previously, researchers had reverse-engineered the algorithm that determines any given day's list of command-and-control routing domains. Then, last month, nearly 20 technology companies and organizations, among them Microsoft Corp. and ICANN, the nonprofit group that manages the Internet Domain Name System, combined forces to disrupt the budding botnet by preemptively removing those addresses from circulation.
MikeW spotted several other legitimate sites on March's Downadup list, including jogli.com (Big Web Great Music) and qhflh.com (Women's Net in Qinghai Province), slated for "phone home" use on March 8 and March 18, respectively.
These domains may be affected by the worm itself or by the steps network administrators have taken to protect their PCs, said MikeW. "Those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack," he said. According to F-Secure Corp. , at least 2.1 million PCs are currently infected with the Downadup worm. "[Or] they may end up on a blocklist [that would ] prevent users from accessing their services." Microsoft, for example, has posted a list of Downadup's routing domains that IT administrators can use to block outbound "calls" from infected PCs.
MikeW said Sophos had contacted the owners of the domains on March's list, including Southwest. Currently, wnsux.com -- which Southwest Airlines apparently acquired to stymie negative publicity -- shunts users to Southwest Airlines' site and offers a message that reads in part, "Southwest wants to control the release of inaccurate and irresponsible information about the Company via the Internet."
Downadup first gained attention for exploiting a Windows vulnerability that Microsoft patched last October in one of its rare emergency updates . The worm has spread extensively since earlier this year, when a new variant appeared and quickly compromised as many as 9 million PCs within days.
Microsoft has also offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched Downadup, a move it last used in 2004.
Southwest Airlines was not immediately available for comment.