Canadian .ca domain prepares united Conficker.C defense

White hats nationwide have ramped up their efforts to create a defense against Conficker.C as the worm’s April 1 activation date approaches. This is not an easy task—as we’ve previously described, Conficker.C sacrifices some of .B’s infection vectors but replaces them with code designed to make the worm harder to track, block, or remove.

If Conficker.A was an annoying relative with an old house key that somehow still worked, and Conficker.B a family member who thought you were so nice that he needed to meet everyone in your entire neighborhood, then Conficker.C is everyone’s nightmare house guest. He sleeps on the couch, can’t be bothered with minor details (like pants), sucks down cell phone minutes and bandwidth caps like bottles of Pabst Blue Ribbon, and has an absolutely uncanny ability to vanish every time you show up brandishing a fresh stack of bills and a “you have to go” attitude.

The Canadians, at least, have had enough of this behavior. On Thursday, March 24, the Canadian Internet Registration Authority (CIRA) announced plans to counter any digital attack Conficker.C might launch against the Great White North. Canadians evidently take the purity of the .ca domain very seriously, and are devoted to preserving its (digital) pristine waters, mighty vistas, and amazing natural beauty.

“A dot-ca domain name is valued and trusted as the best way for individuals, businesses and other organizations in Canada to connect with people, build their brand, reach markets and service customers,” said Byron Holland, president and CEO of CIRA. “In consultation with our international peers and Internet security authorities, we are taking prudent steps to counter attempts to abuse this trust.”

Protecting an entire domain—any domain—is a bit tricky when you consider the volume of traffic Conficker.C will spin up. On April 1 2009, all current Conficker installations will attempt to communicate with their C&C servers. If they manage to connect, they’ll be updated from whatever version is currently installed to the new .C rev.

Once that’s done, when Conficker attempts to generate a list of servers to contact for data upload and/or instructions, it won’t be picking from a randomized list of 32 addresses out of a pool of 250—it’ll pick 500 random addresses from a potential list of 50,000. Theoretically, it might be possible to register all 50,000 domains, contact their current owners, and/or take steps to prevent them from being exploited, but first we need the list. Conficker.C will debut new encryption algorithms to prevent code breakers from seeing where it intends to go next.

The not-for-profit group is preemptively registering and “isolating previously unregistered dot-ca domains” that it expects could be randomly generated over the next 12 months. Isolation is not exactly defined here but presumably refers to a process in which the domain is unavailable for standard, automatic registration, yet can still be legitimately bought and used by a business or person who demonstrates intent to legally use the site. The organization also intends to keep an eye on the domains it can monitor, watching for signs of abusive behavior.