Group launches strategy to block Conficker worm from .ca domain
Last Updated: Tuesday, March 24, 2009 | 3:50 PM ET
CBC News
Related
Internal Links
External Links
- Canadian Internet Registration Authority
- Symantec: Downandup C digs deeper
- CA: Conficker C virus detail
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
The group that manages Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day.
"We're going to do everything possible to make this extremely inhospitable terrain for any worm, this one in particular," said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain.
Holland added that the group is trying to protect .ca's reputation and trust as a secure and robust domain.
CIRA said Tuesday that it is taking a number of steps to stop the Conficker worm, also known as the Downandup worm, from using the .ca domain to perform malicious actions on behalf of those who control it.
The worm has been spreading through the internet since the fall, and a group of internet groups and businesses led by Microsoft has offered a $250,000 reward for information leading to the arrest of those responsible.
The latest variant of the worm, Conficker C, which was noticed in early March, is expected to launch its attack once the system date on an infected machine is on or after April 1, 2009.
At that time, copies of the malicious code on infected computers will try to generate and connect to 50,000 web URLs a day from 110 domains around the world, including .ca while trying to reach a "command and control" domain for further instructions.
"They'll try to create a smoke screen of many, many thousands of domains that are being communicated to, among which that single or very small limited number of command and control domains will be hidden," Holland told CBCNews.ca Tuesday.
Infected computer joins 'botnet'
While CIRA has dealt with malicious code before while operating Canada's domain name system, this situation is unique, he added.
"This is the first virus that's really focused on domain names as part of propagating the virus itself."
Once it has its "command and control" instructions, the infected computer becomes part of a "botnet" of many infected computers that take orders from those who control them, and as such, it may gather personal information, install malicious programs on the computer, and attack or infect other computers.
CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group.
That would make those names unavailable for anyone to register in order to set up a website to host the worm's "command and control" file. A list of the names has been predicted by security experts based on the worm's code.
In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will "take appropriate action if suspicious activity is detected."
CIRA said computer security experts don't yet know what actions computers infected with Conficker C will be asked to perform, and may not until April 1.
"When it goes live, we will have a much clearer picture," Holland said.
Fraudulent anti-virus software
He added that the group has been working with internet security experts and registries around the world, some of whom are using similar strategies against the worm.
Conficker infects computers running various versions of Microsoft Windows, especially those that have not been patched with a security upgrade issued by Microsoft in October. The earlier variants, Conficker A and Conficker B, did not require any user intervention to spread.
According to CIRA, Conficker A attempted to download and install fraudulent antivirus software.
Conficker B generated a list of just 250 new internet domains to connect to every day, some of which may have hosted the worm's command and control file, but none of the domains were .ca names. The internet security company CA has reported that Conficker C may not trigger malware detection software on a user's computer because it has lost some of the spreading abilities found in previous versions.
It can shut down tools used to monitor for malware, and that could potentially remove it from the system.
CIRA is urging computer users to protect themselves by installing up-to-date security patches and is providing further information on its website.
Share Tools
Top News Headlines
- Aylmer triple stabbing leads to first-degree murder charges
- The estranged partner of a young mother who was stabbed to death along with her parents at their home in Aylmer, Que., has been charged with first-degree murder Friday. more »
- Wildfires, high winds put northeastern Ontario on alert
- It's going to be a tense weekend in northeastern Ontario where strong, shifting winds have been fuelling a forest fire that has blanketed the Timmins area with smoke and ash. more »
- Labrador fire out of control
- A forest fire continues to burn out of control in Happy Valley-Goose Bay today, according to provincial firefighting officials. more »
- The risks and responsibilities of taking on Mt. Everest
- The deaths of five climbers last weekend on Mt. Everest, with more summits underway this weekend, fuels the debate about the risks and responsibilities of high altitude climbing. more »
Latest Technology & Science News Headlines
- Unloading of docked SpaceX capsule to start Saturday
- The privately bankrolled SpaceX Dragon capsule made a historic arrival at the International Space Station on Friday, and astronauts will begin unloading some of the 544 kilograms of food, water, clothing and other supplies its carrying starting Saturday. more »
- South Africa, Australia to share world's largest telescope
- South Africa and Australia will jointly host the Square Kilometre Array, which promises to be the world's largest telescope, the international consortium in charge of the project said Friday. more »
- Bonavista, N.L., 'coyote' was really wolf, tests confirm
- Wolves have not been seen in Newfoundland since around 1930 and were believed to have been hunted to extinction on the island, but genetic tests have confirmed that an 82-pound animal shot on the Bonavista Peninsula in March was, in fact, a wolf. more »
- Once-rare argus butterfly thriving thanks to climate change
- Global warming is threatening the existence of many species, such as the giant polar bear, but in the case of Britain's brown argus butterfly, it took a species in trouble and made it thrive. more »
- Yahoo scraps digital magazine designed for iPad
- Yahoo has killed Livestand, a tablet magazine, just six months after its debut on the iPad. more »
Bob McDonald's Blog
Government to shut down unique fresh water research area May. 25, 2012 12:31 PM The Experimental Lakes Area research facility in Northern Ontario is being closed down after 44 years of providing invaluable data to scientists in Canada and internationally, a decision that has stunned researchers and environmental groups.
Quirks & Quarks
- May 26: Before the Lights Go Out May. 25, 2012 4:15 PM A new book, "Before the Lights Go Out: Conquering the Energy Crisis Before It Conquers Us", suggests that the unpredictable, unplanned, ad-hoc way our energy use developed in the past will shape our energy future.
Latest Features
- Aylmer triple stabbing leads to first-degree murder charges
- Everest victim's husband says family not seeking government help
- B.C. premier unhappy with disgraced Mountie's transfer
- Canada ending 'Buffalo shuffle' for visas, closing consulate
- What a Greek euro exit could mean for Canada
- Third B.C. salmon farm quarantined
- RCMP officer charged in fatal crash
- Police probe Halifax homicide after shooting
- Ottawa man in hospital after lightning strike
