Experts at SophosLabs discovered that the Conficker worm - also known as 'Downadup' - will try to contact wnsux.com on Friday March 13 for further instructions. This URL, owned by Southwest Airlines, redirects visitors to the airline's primary southwest.com address, meaning that the company's operations may be compromised as the attack takes place.
"Every day each computer infected by Conficker visits different websites, trying to see if orders have been left by its hacker overlords. The worm generates a long list of different website names which it uses to check in its hunt for instructions - meaning that the authorities can't shut down a single site to stop the worm from activating its payload," explained Graham Cluley, senior technology consultant at Sophos. "The hackers' plan is to use a domain name that they know Conficker will query on a certain day, enabling them to plant instructions for the botnet - which might send spam or launch other malicious attacks."
"However, some of these domain names that Conficker-infected computers are scheduled to visit are already owned by legitimate organisations - like Southwest Airlines - meaning that on a given day these sites will be bombarded by traffic as an army of computers try to visit their site for commands," continued Cluley. "They won't receive any instructions, but havoc could be caused by the worm reaching out to the site. In Southwest Airlines's case, on Friday 13 March, this could mean that customers may not be able to check in online or even access the site."
Sophos has contacted the owners of the legitimate domains on Conficker's list for March, including Southwest Airlines, and has offered advice on how to reduce the impact of the unwanted traffic. In the meantime, Microsoft continues to offer a US $250,000 reward for information that leads to the capture and conviction of the authors of the Conficker worm that continues to wreak havoc.
More information, including details of other legitimate websites which could be impacted by Conficker during March, can be found on the SophosLabs blog.