[LINK] Cornficker clones
Scott Howard
scott at doc.net.au
Sat Mar 28 19:39:05 AEDT 2009
On Sat, Mar 28, 2009 at 1:13 AM, <stephen at melbpc.org.au> wrote:
> The bad guys still need to get only ONE of those up and running to
> connect to their botnet. And the bigger list of possibilities increases
> the odds they'll slip something by the security community.
>
> Researchers already know which domains the infected machines will check,
> but pre-emptively registering them all, or persuading the registrars to
> neutralize all of them, is a bigger hurdle."
>
What happens when amazon.com shows up in the list of domains that conficker
is going to try? Should that domain be "neutralized" ?
Of course, you can't simply just ignore existing domains, because there's a
good chance than the conficker writers have already registered one or more
of the future domains, ready for the day that the bots' domain algorithm
picks that specific domain and comes calling. This domain could well be
hosting some randomm, innocent content - but of course the worm writers will
know the exact second hosts will start accessing it and can change the
content a few seconds earlier.
Even if you do ignore existing domains, at 50,000 domains per day, how far
out should be blacklisted? 10 days? (half a million domains!). A month?
(1.5 million domains!) What happens when they change the algorithm and it
becomes 500,000 domains a day?
And when I go to register the domain for my new company what should I be
told? I can't register it today as it might be malicious, but if I come
back next Thursday after 6:51am everything will be OK?
Scott.
More information about the Link
mailing list