March 13, 2009 - Virus Set To Call Home To Southwest Ailrines
- 7
- Add a Comment
According to a blog entry at Sophos, if you are scheduled for a flight on Southwest Airlines on March 13th, you may have trouble logging in online. It seems that the virus known as Confickeris scheduled to call home to wnsux.com for further instructions. But the virus won’t receive any directions. Instead the site which is owned by Southwest Airlines will redirect the traffic to Southwest Airlines. If this happens, than the site could suffer a denial of service attack.
According to Sophos in their blog posting, it also states that:
The key sites whose visitors may indeed see a disruption to their service include:
DOMAIN DESC ON DATE jogli.com Big Web Great Music March 8 wnsux.com Southwest Airlines March 13 qhflh.com Women’s Net in Qinghai Province March 18 praat.org Praat: doing phonetics by computer March 31 Other, less frequented, sites of interest that appeared in the list include “The Tennesse Dogue De Bordeaux” dog breeders site tnddb.com, March 14) and the coy “Double Super Secret Message Board” site dssmb.com, March 11) — dogs and secrets won’t be moving too well on those days. One last domain turned out to be infected with Troj/Unif-B (site not listed here for obvious reasons) — so I will go ahead and block that one all the same!
As for options, the simple solution, say for Southwest Airlines, could simply be to stop resolving wnsux.com to southwest.com for the day — so long as that wouldn’t hinder any of their operations. Another option would be to filter out the Conficker HTTP requests of the form http://<domain>/search?q=<N>, though this requires that (a) your site does not currently use a “search” page (with no file extension) and more importantly (b) the filtering decision is made at a point along the network path that can cope with the load. This is a bit trickier as HTTP is an application layer protocol — a network connection must already be established before the two endpoints start speaking HTTP — necessitating a highly provisioned web proxy be used on the front lines to (1) establish the connection (TCP 3-way handshake), (2) examine the HTTP request, and (3) drop Conficker requests and pass along any remaining (presumably legitimate) requests further downstream. In any case, I have contacted the owners of the domains listed above to draw their attention to this matter.
Time will tell whether making it on the Conficker list will be viewed with prestige or lowliness. Perhaps stories of surviving a Conficker call-home flood will carry a badge-of-honor in the network operations world. I do know one thing for certain though… I’m glad sophos.com did not make the list.
MikeW, SophosLabs, Canada
So hopefully Southwest Airlines won’t experience any problems.
Comments welcome.
7 Comments
Conficker Set To Disrupt Legit Sites During March | Infosecurity.US
March 2nd, 2009
at 2:31pm
[...] March 13, 2009 - Virus Set To Call Home To Southwest Ailrines lockergnome.com) [...]
March 13, 2009 - Virus Set To Call Home To Southwest Ailrines - Airlines Blog
March 3rd, 2009
at 4:22am
[...] This article is featured on the custom Airlines Blog at Auto-Blogs.us. [...]
March 13, 2009 - Virus Set To Call Home To Southwest Ailrines - Southwest Blog
March 3rd, 2009
at 4:33am
[...] This article is featured on the custom Southwest Blog at Auto-Blogs.us. [...]
March 13, 2009 - Virus Set To Call Home To Southwest Ailrines - Blog Blog
March 3rd, 2009
at 5:01am
[...] This article is featured on the custom Blog Blog at Auto-Blogs.us. [...]
March 13, 2009 - Virus Set To Call Home To Southwest Ailrines - Directions Blog
March 3rd, 2009
at 6:04am
[...] This article is featured on the custom Directions Blog at Auto-Blogs.us. [...]
Duh
March 4th, 2009
at 9:07pm
Good job spelling denial.
Ron Schenone
March 5th, 2009
at 5:14am
I’ll blame spell check. LOL