Conficker.A DNS Rendezvous Analysis
by Jago Maniscalchi // June 7, 2009 // Exploits and Malware // No comments
In an attempt to gain a better understanding for who was registering Conficker.A/B DNS rendezvous points (either for interest, for malicious purposes or for sinkholing), I have used the downatool2 from Bonn University, Germany to calculate all the rendezvous points from January – May for Conficker.A and for B.
I ran WHOIS checks on all 90,000 names and extracted the registrant from those that exist. Where I could get an e-mail address I have, falling back on name or registrar where no e-mail address was available.
Conficker.A Analysis
Conficker.A domains were largely unregistered until the SRI report was released followed shortly afterwards by the $250,000 reward offered by Microsoft. The Conficker Working Group starts to take effect in mid-April.
Over 220 unique registrants were extracted from the WHOIS results returned, the vast majority of whom had registered only a single address.
Conficker.B
Similar data is being processed for Conficker.B rendezvous points and will be available on Digital Threat soon.
Data
The Conficker.A/B domain rendezvous points used to generate this data, along with the statistics generated, will be available as a ZIP download soon.
