nanog mailing list archives
Re: The Confiker Virus.
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Wed, 01 Apr 2009 10:11:27 -0400
Is anyone aware of any network-based signatures that could be used to identify and tag IP traffic, for dropping at the ingress/egress points?
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/Has snort sigs for .A and .B variants .. haven't seen one for .C yet, but there is a tool on that same site called 'downatool2' to enumerate the domain list (to run through a parallel DNS tool, etc. and then check netflow and such).
I did this just now for the .C variant (using 'wine downatool2_01.exe -c' and then piping results through 'adnshost -a -f -Fi' after a little cleanup) .. results?
Of the 50,000 DNS names generated for today .. 32,947 don't resolve. For the remainder .. if I sort the list .. I get 107 unique /16s 308 unique /24s 11777 unique hosts (mostly sequential within a /24 or shorter mask). Here's the top 10 /16's with count : 149.93/16 -- 8500 38.229/16 -- 2737 192.174/16 -- 404 148.81/16 -- 20 97.74/16 -- 13 75.125/16 -- 9 60.29/16 -- 7 221.130/16 -- 7 124.42/16 -- 7 118.102/16 -- 7If anyone wants to save themselves the trouble and wants today's list of IPs (which could change quickly .. I didn't query SOA info) .. ping me off-list.
Regards, Michael Holstein Cleveland State University
Current thread:
- Re: The Confiker Virus. Michael Holstein (Apr 01)
- Re: The Confiker Virus. Michael Holstein (Apr 01)
- Re: The Confiker Virus. Jason Iannone (Apr 01)
- Re: The Confiker Virus. David W. Hankins (Apr 01)
- Re: The Confiker Virus. Michael Holstein (Apr 01)
- Re: The Confiker Virus. Warren Kumari (Apr 01)
- Re: The Confiker Virus. Jason Iannone (Apr 01)
- Re: The Confiker Virus. Michael Holstein (Apr 01)