March 13, 2009 – Virus Set To Call Home To Southwest Ailrines

According to a blog entry at Sophos, if you are scheduled for a flight on Southwest Airlines on March 13th, you may have trouble logging in online. It seems that the virus known as Confickeris scheduled to call home to wnsux.com for further instructions. But the virus won’t receive any directions. Instead the site which is owned by Southwest Airlines will redirect the traffic to Southwest Airlines. If this happens, than the site could suffer a denial of service attack.

According to Sophos in their blog posting, it also states that:

The key sites whose visitors may indeed see a disruption to their service include:

DOMAINDESCON DATE
jogli.comBig Web Great MusicMarch 8
wnsux.comSouthwest AirlinesMarch 13
qhflh.comWomen’s Net in Qinghai ProvinceMarch 18
praat.orgPraat: doing phonetics by computerMarch 31

Other, less frequented, sites of interest that appeared in the list include “The Tennesse Dogue De Bordeaux” dog breeders site (tnddb.com, March 14) and the coy “Double Super Secret Message Board” site (dssmb.com, March 11) — dogs and secrets won’t be moving too well on those days. One last domain turned out to be infected with Troj/Unif-B (site not listed here for obvious reasons) — so I will go ahead and block that one all the same!

As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving wnsux.com to southwest.com for the day — so long as that wouldn’t hinder any of their operations. Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that (a) your site does not currently use a “search” page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load. This is a bit trickier as HTTP is an application layer protocol — a network connection must already be established before the two endpoints start speaking HTTP — necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3-way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream. In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.

Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call-home flood will carry a badge-of-honor in the network operations world. I do know one thing for certain though… I’m glad sophos.com did not make the list.

MikeW, SophosLabs, Canada

So hopefully Southwest Airlines won’t experience any problems.

Comments welcome.

Source

Major Internet Attack – No One Noticed

On February 6, 2007 an attack took place on the Internet which tried to take down the major backbone of the entire Internet. The attack against the root servers, which handles all Internet traffic, wasn’t done by stealthy minded hackers but by people just like us. People who have allowed their systems to be unprotected and that are now being used as soliders for the invading force.

Hard to believe? Will it did happen. Sophos reported yesterday this very story in which they stated:

“These zombie computers could have brought the web to its knees, and while the resilience of the root servers should be commended, more needs to be done to tackle the root of the problem – the lax attitude of some users towards IT security,” said Graham Cluley, senior technology consultant at Sophos. “Society is almost totally reliant on the internet for day-to-day communication – it’s ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down.”

Root servers, which manage the internet’s Domain Name System, help to convert website names such as amazon.com to their numeric IP address – essentially acting as an address book for the internet. UltraDNS, which manages traffic for websites ending with the suffix .org and .info, confirmed that it had witnessed an unusual increase in traffic. In all, three of the 13 servers at the top of the DNS hierarchy are said to have felt the impact of the attack, although none are thought to have stopped working entirely.”

This is a real eye opener since so much of what we do as a society is now tied directly to the Internet. I remember reading where just a single system was controlling some 1.5 million computers, until it was finally shutdown.

Full story here.

[tags]internet, attack, sophos, warning, traffic, [/tags]