There is quite a bit of press coverage of today’s announcement of a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm. What hasn’t been so widely reported (yet) is that the Conficker ‘phone home’ domain algorithm has been reverse engineered.
Conficker will try every three hours to connect to specific domains over HTTP (‘phoning home’) however, unlike many other worms which use a static list of domains, Conficker’s domain list is dynamically generated by an algorithm which has now been reversed engineered.
Because of this, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyse those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.
You can also use this information to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.
The list of Conficker domains is available as a zipped file at the bottom of this Microsoft Security Response Center page.
Be the first to rate this post
- Currently 0/5 Stars.
- 1
- 2
- 3
- 4
- 5