The Confiker Virus.

Michael Holstein michael.holstein at csuohio.edu
Wed Apr 1 17:06:07 UTC 2009


> What's the virus doing with all of those domain names?
>   

Domain names are enumerated at random (based on date) as a way around 
hard-coding an IP/domain that could be easily taken down. The domain 
names are used for the command & control of the worm, and presumably at 
least one of them will be registered at some point (if not already) by 
the worm authors.

Read up on the specifics at one of the (many) sites where research is 
being done on it : http://www.dshield.org/conficker

~Mike.

> On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein
> <michael.holstein at csuohio.edu> wrote:
>   
>>> Of the 50,000 DNS names generated for today ..
>>>       
>> Additional info ..
>>
>> Top 10 ASN by number/name :
>>
>> 5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc.     2820 -- 1668
>> AOL-ATDN - AOL Transit Data Network    2737 -- 23028 TEAM-CYMRU - Team Cymru
>> Inc.     404 -- 760 University of Vienna, Austria      20 -- 1887
>> NASK-ACADEMIC NASK        10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street
>>       7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc.    5
>> -- 8560 ONEANDONE-AS 1&1 Internet AG      4 -- 12306 PLUSLINE Plus.Line AG
>> IP-Services      3 -- 26496 PAH-INC - GoDaddy.com, Inc.
>> So you can tell the "good guys" are still at it pre-registering the bulk of
>> the conflickr-related domain names.
>>
>> Cheers,
>>
>> Michael Holstein
>> Cleveland State University
>>
>>
>>     
>
>
>   





More information about the NANOG mailing list