The Confiker Virus.

• Previous message (by thread): Can you see these AS links:)
• Next message (by thread): The Confiker Virus.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Is anyone aware of any network-based signatures that could be used to
> identify and tag IP traffic, for dropping at the ingress/egress points?
>   

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Has snort sigs for .A and .B variants .. haven't seen one for .C yet, 
but there is a tool on that same site called 'downatool2' to enumerate 
the domain list (to run through a parallel DNS tool, etc. and then check 
netflow and such).

I did this just now for the .C variant (using 'wine downatool2_01.exe 
-c' and then piping results through 'adnshost -a -f -Fi' after a little 
cleanup) .. results?

Of the 50,000 DNS names generated for today ..

32,947 don't resolve.

For the remainder .. if I sort the list .. I get

107 unique /16s
308 unique /24s
11777 unique hosts (mostly sequential within a /24 or shorter mask).

Here's the top 10 /16's with count :

149.93/16 -- 8500
38.229/16 -- 2737
192.174/16 -- 404
148.81/16 -- 20
97.74/16 -- 13
75.125/16 -- 9
60.29/16 -- 7
221.130/16 -- 7
124.42/16 -- 7
118.102/16 -- 7

If anyone wants to save themselves the trouble and wants today's list of 
IPs (which could change quickly .. I didn't query SOA info) .. ping me 
off-list.



Regards,

Michael Holstein
Cleveland State University

• Previous message (by thread): Can you see these AS links:)
• Next message (by thread): The Confiker Virus.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]