Computers infected by the Downadup worm will "phone home" to several legitimate URLs this month, including one owned by Southwest Airlines , potentially disrupting those sites, a security researcher said Sunday.
According to a researcher at Sophos, the Downadup worm -- also known as Conficker -- will try to contact wnsux.com on March 13 for further instructions. That URL, however, is owned by Southwest Airlines, and redirects visitors to the airline's primary southwest.com address.
[ Related: "Downadup/Conflicker worm: When will the next shoe fall?" | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. | Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]
"On March 13, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions," said a Sophos researcher identified as MikeW in an entry on the company's blog . "They won't get any [instructions], but that may certainly disrupt the operation of southwest.com."
Once it has infected a PC, Downadup generates a list of 250 possible domains -- the list changes daily -- selects one, then uses that URL to reach a hacker-controlled server from which it downloads additional malware to install on the hijacked computer. The wnsux.com address is one of the 7,750 domains that the worm may use during March, said MikeW.
Previously, researchers had reverse-engineered the algorithm that determines any given day's list of command-and-control routing domains. Then, last month, nearly 20 technology companies and organizations, among them Microsoft and ICANN, the nonprofit group that manages the Internet Domain Name System, combined forces to disrupt the budding botnet by preemptively removing those addresses from circulation.
MikeW spotted several other legitimate sites on March's Downadup list, including jogli.com (Big Web Great Music) and qhflh.com (Women's Net in Qinghai Province), slated for "phone home" use on March 8 and March 18, respectively.