A website owned by Southwest Airlines Co. is one of hundreds being targeted by the Conficker worm this month as...
it seeks out instructions from the cybercriminals who created it.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
It's the first time the worm has attempted to use a legitimate, high-profile website as it seeks to get instructions. Security researchers have been able to predict which domains the worm will used after they cracked the algorithm used by the worm to produce domain names.
The worm could disrupt Internet traffic since every infected machine seeking instructions will attempt to ping the website. The increase in traffic has the potential to cause a denial-of-service attack, effectively crippling the website, said Graham Cluley, senior technology consultant at Sophos Inc.
The good news is that the Southwest website being targeted is called wnsux.com, which redirects to Southwest's main website. The site is expected to be targeted by Conficker, March 13. Southwest airlines said it would temporarily shut off the redirect so it can continue to service its customers.
"If you find your site on Conficker's war path for a particular day, you can see if your ISP has traffic filtering technology to try to block the malicious traffic," Cluley said.
Cluley said he discovered the Southwest website while investigating whether the worm would be using any existing non-malicious domains in the month of March. Conficker will use more than 7,700 domains this month in an attempt to download a payload.
Several other legitimate domains will be targeted, Cluley said. Jogli.com, a website whose widgets are used to play music on social networks and Praat.org, a website about computer phonetics run by the University of Amsterdam, will also be bombarded by Conficker.
So far Conficker has not received its payload, but the cybercriminals behind it could use the botnet to perform a denial-of-service attack against a specific company or steal sensitive information from the owners of the infected machines. Security researchers announced a coalition in February to block Conficker from getting its orders via domains. It still has the ability to be updated by a backdoor method, in which the cybercriminals can upload commands much like data exchanging in peer-to-peer file sharing. "We simply don't know if a payload is going to come or not," Cluley said. "Maybe the masterminds behind this have been scared off by Conficker's success. They may not want to trigger a payload since it would signal law enforcement on their tracks."