Group launches strategy to block Conficker worm from .ca domain

The group that manages Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day.

The group that manages Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day.

"We're going to do everything possible to make this extremely inhospitable terrain for any worm, this one in particular," said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain.

Holland added that the group is trying to protect .ca's reputation and trust as a secure and robust domain.

CIRA said Tuesday that it is taking a number of steps to stop the Conficker worm, also known as the Downandup worm, from using the .ca domain to perform malicious actions on behalf of those who control it.

The worm has been spreading through the internet since the fall, and a group of internet groups and businesses led by Microsoft has offered a $250,000 reward for information leading to the arrest of those responsible.

The latest variant of the worm, Conficker C, which was noticed in early March, is expected to launch its attack once the system date on an infected machine is on or after April 1, 2009.

At that time, copies of the malicious code on infected computers will try to generate and connect to 50,000 web URLs a day from 110 domains around the world, including .ca while trying to reach a "command and control" domain for further instructions.

"They'll try to create a smoke screen of many, many thousands of domains that are being communicated to, among which that single or very small limited number of command and control domains will be hidden," Holland told Tuesday.

Infected computer joins 'botnet'

While CIRA has dealt with malicious code before while operating Canada's domain name system, this situation is unique, he added.

"This is the first virus that's really focused on domain names as part of propagating the virus itself."

Once it has its "command and control" instructions, the infected computer becomes part of a "botnet" of many infected computers that take orders from those who control them, and as such, it may gather personal information, install malicious programs on the computer, and attack or infect other computers.

CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group.

That would make those names unavailable for anyone to register in order to set up a website to host the worm's "command and control" file. A list of the names has been predicted by security experts based on the worm's code.

In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will "take appropriate action if suspicious activity is detected."

CIRA said computer security experts don't yet know what actions computers infected with Conficker C will be asked to perform, and may not until April 1.

"When it goes live, we will have a much clearer picture," Holland said.

Fraudulent anti-virus software

He added that the group has been working with internet security experts and registries around the world, some of whom are using similar strategies against the worm.

Conficker infects computers running various versions of Microsoft Windows, especially those that have not been patched with a security upgrade issued by Microsoft in October. The earlier variants, Conficker A and Conficker B, did not require any user intervention to spread.

According to CIRA, Conficker A attempted to download and install fraudulent antivirus software.

Conficker B generated a list of just 250 new internet domains to connect to every day, some of which may have hosted the worm's command and control file, but none of the domains were .ca names. The internet security company CA has reported that Conficker C may not trigger malware detection software on a user's computer because it has lost some of the spreading abilities found in previous versions.

It can shut down tools used to monitor for malware, and that could potentially remove it from the system.

CIRA is urging computer users to protect themselves by installing up-to-date security patches and is providing further information on its website.