[gnso-rap-dt] Conficker.C primed for April Fool's activation (was RE: [gnso-rap-dt] FYI background on Conficker)

[Phil Corwin <pcorwin@xxxxxxxxxxxxxxxxxx>]

FYI, just came across this story on the latest variation at 
http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
 ;  apportion of the story excerpted below...

Conficker.C primed for April Fool's activation

The security industry was collectively able to put the brakes on Conficker.B's 
expansion when they managed to reverse-engineer the virus and determine which 
domains it would attempt to register and dial home to on particular dates. With 
Conficker.A and B, the worm chose to contact 32 
addresses<http://arstechnica.com/security/news/2009/03/conficker-created-connections-could-confound-consumers.ars>
 out of a possible 250 on any given attempt. With their algorithm broken, the 
malware authors went a step beyond updating their randomization/selection 
code-they also vastly increased both the number of domains the worm could 
generate as well as the number it will randomly select. Conficker.C will select 
500 domains out of a randomized pool of 50,000 instead of the previous 32/250.

This will drive up the cost of operating the botnet (we've previously covered 
how vulnerable malware networks can be to changes in their cost structure) but 
will also significantly increase the cost of attempting to monitor and prevent 
botnet registrations, even once the randomizing algorithm has been broken.





Philip S. Corwin
Partner
Butera & Andrews
1301 Pennsylvania Ave., NW
Suite 500
Washington, DC 20004

202-347-6875 (office)

202-347-6876 (fax)

202-255-6172 (cell)

"Luck is the residue of design." -- Branch Rickey

________________________________
From: owner-gnso-rap-dt@xxxxxxxxx [mailto:owner-gnso-rap-dt@xxxxxxxxx] On 
Behalf Of Greg Aaron
Sent: Monday, March 16, 2009 1:25 PM
To: gnso-rap-dt@xxxxxxxxx
Subject: [gnso-rap-dt] FYI background on Conficker

This involves lists of domain names that are not yet registered, but may be 
registered by the worm's creators and used to control or update the botnet.

* 
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129239&intsrc=news_ts_head

* http://blogs.zdnet.com/security/?p=2572

* http://en.wikipedia.org/wiki/Conficker


**********************************
Greg Aaron
Director, Key Account Management and Domain Security
Afilias
vox: +1.215.706.5700 x104
fax: 1.215.706.5701
gaaron@xxxxxxxxxxxx
**********************************
The information contained in this message may be privileged and confidential 
and protected from disclosure. If the reader of this message is not the 
intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer.