[LINK] Conficker, boots April First
Kim Davies
kim at cynosure.com.au
Mon Mar 23 03:20:49 AEDT 2009
Quoting Karl Auer on Sunday March 22, 2009:
| On Sun, 2009-03-22 at 19:53 +1100, Karl Auer wrote:
| > I'm not up on the Conficker thing, so maybe this is me displaying that
| > ignorance, but it seems to me to be extraordinarily unlikely that
| > anything to do with the DNS would have any relevance to a worm. I
| > suppose the DNS port might be used in some way, as it swans through most
| > firewalls, but "domain names"?
|
| OK, now I know. Still strikes me as a weird way to operate, as domain
| names are by definition traceable and locatable.
Well, not really. The operator of the bot has 50,000 different domains
a day to play with, distributed under over 100 top-level domains each
with very different registration policies (and almost all more liberal
than those in Australia). The attacker can probably go to some registry
or registrar, provide a stolen credit card number, and get one of that
day's command-and-control domain. And the domain only needs to be active
for 24 hours, so they don't care if it gets taken down later once
someone realises what is going on.
kim
More information about the Link
mailing list