nanog mailing list archives

Re: The Confiker Virus.

From: Michael Holstein <michael.holstein () csuohio edu>
Date: Wed, 01 Apr 2009 13:06:07 -0400

What's the virus doing with all of those domain names?

Domain names are enumerated at random (based on date) as a way aroundhard-coding an IP/domain that could be easily taken down. The domainnames are used for the command & control of the worm, and presumably atleast one of them will be registered at some point (if not already) bythe worm authors.

Read up on the specifics at one of the (many) sites where research isbeing done on it : http://www.dshield.org/conficker


~Mike.

On Wed, Apr 1, 2009 at 8:38 AM, Michael Holstein
<michael.holstein () csuohio edu> wrote:

Of the 50,000 DNS names generated for today ..

Additional info ..

Top 10 ASN by number/name :

5680 -- 1280 ISC-AS1280 Internet Systems Consortium, Inc.     2820 -- 1668
AOL-ATDN - AOL Transit Data Network    2737 -- 23028 TEAM-CYMRU - Team Cymru
Inc.     404 -- 760 University of Vienna, Austria      20 -- 1887
NASK-ACADEMIC NASK        10 -- 4134 CHINANET-BACKBONE No.31,Jin-rong Street
      7 -- 21844 THEPLANET-AS - ThePlanet.com Internet Services, Inc.    5
-- 8560 ONEANDONE-AS 1&1 Internet AG      4 -- 12306 PLUSLINE Plus.Line AG
IP-Services      3 -- 26496 PAH-INC - GoDaddy.com, Inc.
So you can tell the "good guys" are still at it pre-registering the bulk of
the conflickr-related domain names.

Cheers,

Michael Holstein
Cleveland State University

Current thread:

Re: The Confiker Virus. Michael Holstein (Apr 01)
- Re: The Confiker Virus. Michael Holstein (Apr 01)
  - Re: The Confiker Virus. Jason Iannone (Apr 01)
    - Re: The Confiker Virus. David W. Hankins (Apr 01)
    - Re: The Confiker Virus. Michael Holstein (Apr 01)
    - Re: The Confiker Virus. Warren Kumari (Apr 01)