According to a blog entry at Sophos, if you are scheduled for a flight on Southwest Airlines on March 13th, you may have trouble logging in online. It seems that the virus known as Confickeris scheduled to call home to wnsux.com for further instructions. But the virus won’t receive any directions. Instead the site which is owned by Southwest Airlines will redirect the traffic to Southwest Airlines. If this happens, than the site could suffer a denial of service attack.
According to Sophos in their blog posting, it also states that:
The key sites whose visitors may indeed see a disruption to their service include:
DOMAIN DESC ON DATE jogli.com Big Web Great Music March 8 wnsux.com Southwest Airlines March 13 qhflh.com Women’s Net in Qinghai Province March 18 praat.org Praat: doing phonetics by computer March 31
Other, less frequented, sites of interest that appeared in the list include “The Tennesse Dogue De Bordeaux” dog breeders site (tnddb.com, March 14) and the coy “Double Super Secret Message Board” site (dssmb.com, March 11) — dogs and secrets won’t be moving too well on those days. One last domain turned out to be infected with Troj/Unif-B (site not listed here for obvious reasons) — so I will go ahead and block that one all the same!
As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving wnsux.com to southwest.com for the day — so long as that wouldn’t hinder any of their operations. Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that (a) your site does not currently use a “search” page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load. This is a bit trickier as HTTP is an application layer protocol — a network connection must already be established before the two endpoints start speaking HTTP — necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3-way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream. In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.
Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call-home flood will carry a badge-of-honor in the network operations world. I do know one thing for certain though… I’m glad sophos.com did not make the list.
MikeW, SophosLabs, Canada
So hopefully Southwest Airlines won’t experience any problems.