Home » Attack

Conficker.A DNS Rendezvous Analysis

0
by James Maniscalchi // 7 June 2009

In an attempt to gain a better understanding for who was registering Conficker.A/B DNS rendezvous points (either for interest, for malicious purposes or for sinkholing), I have used the downatool2 from Bonn University, Germany to calculate all the rendezvous points from January – May for Conficker.A and for B.

I ran WHOIS checks on all 90,000 names and extracted the registrant from those that exist. Where I could get an e-mail address I have, falling back on name or registrar where no e-mail address was available.

Conficker.A Analysis

Conficker.A domains were largely unregistered until the SRI report was released followed shortly afterwards by the $250,000 reward offered by Microsoft. The Conficker Working Group starts to take effect in mid-April.

confickeradate

Over 220 unique registrants were extracted from the WHOIS results returned, the vast majority of whom had registered only a single address.

confickeraemail

Conficker.B

Similar data is being processed for Conficker.B rendezvous points and will be available on Digital Threat soon.

Data

The Conficker.A/B domain rendezvous points used to generate this data, along with the statistics generated, will be available as a ZIP download soon.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.