Blocking Conficker domain names: Will it work?

On the eve of Conficker.C's expected activation date, April 1, more than 100 providers of top-level domains around the world are trying to block the registration of tens of thousands of domain names that the Conficker worm could start using Wednesday to get botnet instructions.

Slideshow: 10 of the Worst Moments in Network Security History

That effort started last February when the industry group, which included ICANN and Microsoft, got together to pull together a united front against the scourge of Conficker, a sophisticated piece of malware infecting millions of Windows-based computers around the world. It's called the Conficker Working Group.

Starting Wedneday, Conficker could be activated to scan for about 50,000 domain names per day -- a different 50,000 names each day for months -- in a process security experts believe is intended to allow the worm to locate instructions for downloads or destructive operations. It's suspected that most of the domain names are a cover to hide the real points of botnet control.

The idea is for the Top-Level Domain (TLD) providers to do what they can to block the registration of the tens of thousands of domain names Conficker appears programmed to search for. It's a process that those involved in say has been ongoing --though may not ultimately be successful.

"This is a case of the weakest link," acknowledges Roland LaPlante, senior vice president of Afilias, the registry operator that provides technical services to 15 TLDs including .info and .org. but also .Asia, along with BZ for Belize and .IN for India -- a total of about 14 million domains.

LaPlante says ICANN has been trying to coordinate the TLD providers around the world to block registration of the Conficker worm's programmed domain names, but it appears less than half of the TLDs are actively cooperating. Sometimes it's simply that there are small TLDs around the world run by one person who may not even answer the phone. He notes that the Internet Corp. for Assigned Names and Numbers (ICANN) has very limited authority to compel actions.

Afilias has blocked more than 300,000 names so far in the domains that it supports, and expects to block more than 1 million over the course of the year. Greg Aaron, director of domain security at Afilias, says most of the domain names in Conficker's scanning mechanism appear to be random combinations of letters.

Attempts at registering Conficker names are viewed as suspicious and referred to law enforcement, Afilias says.

So, while an attempt is being made to block Conficker's preferred domain names, the effort may not work if Conficker's creators find a willing source from somewhere in the world to supply domain names they want.