Conficker Collateral Damage for March 2009

If you have a flight booked with Southwest Airlines on Friday March 13th, you may have difficulty checking in online — that’s when the Conficker worm will be calling it home.

To clarify, before outright blocking the 7750 Conficker call-home domains for the month of March, I dug into the giant list to see if the deterministic domain generation algorithm hit any existing non-malicious domains.

And good thing I did — on March 13th, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions — they won’t get any, but that may certainly disrupt the operation of southwest.com — a reputable travel and tourism site that wnsux.com (also owned by Southwest Airlines) redirects to.

A legitimate domain that happens to make it into the Conficker call-home list is a problem for two reasons. First, without proper investigation, they may end up on a blocklist and prevent users from accessing their services. Second, those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack.
Continue reading here....