The Conficker worm has yet to eclipse Storm in terms of the total amount of chaos it created at any one time, but the botnet is proving annoyingly hard to kill. What began as an infection that took advantage of a handful of businesses with extremely slow patch validation cycles has become (and maintained itself) as a significant threat.

This has undoubtedly caused much wailing and gnashing of teeth within the halls of Microsoft itself; the company released a security update to resolve the flaw Conficker relies upon (MS08-67) in October, well before Conficker itself appeared. security researchers have examined how Conficker phones home for updates and have determined that at least four legitimate domains are going to be targeted by thousands of botnet systems requesting instructions in the weeks ahead.

Mike Wood, at Sophos, was able to determine which domains would be targeted thanks to F-Secure's earlier work on cracking Conficker's random domain-name generator. With that information in hand, Wood searched the 7,750 domains Conficker will attempt to contact in March, checking for evidence that one or more of them might correspond to a legitimate business. After limiting his search to those domains that correspond with an active IP address and then applying further filters, Wood ended up with a list of 28 individual domains.

"Of those 28 domains, the vast majority are names currently up for sale which the registrar conveniently resolves to their main page suggesting that you buy it. One interesting domain up for sale is yakiimo.com—the owners are asking a cool �3,880 for it—not sure yet if being one of the March 20th 2009 Conficker domains will increase or decrease its value."

Sites in the path of danger include jogli.com (Big Web Great Music, March 8), wnsux.com (Southwest Airlines, March 13), qhflh.com (Women's Net in Qinghai Province, March 18), and praat.org (Praat: doing phoenetics by computer, March 31). There are several ways Conficker's upcoming bludgeon of traffic could be diverted or stopped; Wood's blog entry gives some details on these. In closing he speculates on whether or not surviving a Conficker attack will one day be viewed as a network badge of honor, but notes: "I’m glad sophos.com did not make the list."

When Conficker first poked its head into the wild, we raised the question of whether it was time for forced updates; unilateral deployment of MS08-67 would have stopped Conficker dead in the water. For whatever reason, a handful of businesses neglected to patch and as a result, Conficker is bouncing merrily around wreaking havoc. It's tempting to blame these slow-patching businesses, but there's no evidence to suggest the companies in question weren't on the ball—there are times when a department's own established best practices or the need to guarantee 100% uptime make it impractical to patch as soon as a fix is delivered.

Knowing what addresses Conficker-infected systems will contact for additional instructions has proven to be a boon for the white hats attempting to shut the botnet down—hopefully the advance warning individuals like Wood have provided here will minimize any future damage.