We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required

Conficker.A DNS Rendezvous Analysis

by Jago Maniscalchi  //  June 7, 2009  //  Exploits and Malware  //  No comments

In an attempt to gain a better understanding for who was registering Conficker.A/B DNS rendezvous points (either for interest, for malicious purposes or for sinkholing), I have used the downatool2 from Bonn University, Germany to calculate all the rendezvous points from January – May for Conficker.A and for B.

I ran WHOIS checks on all 90,000 names and extracted the registrant from those that exist. Where I could get an e-mail address I have, falling back on name or registrar where no e-mail address was available.

Conficker.A Analysis

Conficker.A domains were largely unregistered until the SRI report was released followed shortly afterwards by the $250,000 reward offered by Microsoft. The Conficker Working Group starts to take effect in mid-April.


Over 220 unique registrants were extracted from the WHOIS results returned, the vast majority of whom had registered only a single address.



Similar data is being processed for Conficker.B rendezvous points and will be available on Digital Threat soon.


The Conficker.A/B domain rendezvous points used to generate this data, along with the statistics generated, will be available as a ZIP download soon.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

Leave a Comment

comm comm comm