So, T was talking with me just the other day about Conficker worm, and had a bit of a question. She'd finished listening to Steve Gibson's excellent Security Now podcast on the worm (episode 193), and was wondering about the checking of random domains. The question was basically how that could help infect machines.
The answer is that Conficker is not using those domains for infecting new machines, but rather for the zombie machines that are already infected to go and wait for updates. Other standard means are leveraged to infect new boxes and bring them into the botnet, and to do DOS attacks and such. Once I mentioned "zombie" as a term, she said "Yes, I get that. So you basically have the evil horde wandering to random intersections waiting to answer calls as they pass phone booths". Her question had been trying to figure out what the purpose of that would be, if it were not to infect new machines.
"Simple", I answered. "To get updates". That, of course, begs the question as to what exactly one would need to update a zombie in regards to. Well... using the analogy it turns out that the answer was very simple. Aside from the basic cat-and-mouse aspect of trying to hide from the zombie hunters that T. already knew, a big reason to update your zombies would be... to teach them to turn doorknobs!
In classic zombie movies, the heroes always end up huddled together inside a room/house/cabin/pub where the closed doors cause the feeble minded attackers to fumble uselessly against the panels of the door. Teach them to quickly open such obstacles and suddenly the horde is swarming right in to attack your PC and eat its brains. ♪ ♫