[AusNOG] Conficker virus variants and April 1st
Andrew Cox
andrew at accessplus.com.au
Thu Mar 26 14:21:27 EST 2009
Having noticed some of our guest users infected with the Conficker
virus, I've been working on methods to block access and identify
internal users of ours that are infected with the Conficker virus variants.
Before anyone notes I should be managing these computers better with
virus updates etc: Note that we [AccessPlus] provide transient user
access.. hotspots and the like so *nyah!* :-)
Has anyone else been looking at this in their own networks?
If not, as it stands the Current variant (Conficker.C) is poised to
become active on April 1st, however we have no knowledge of exactly what
the system will do when all computers come online.
Theres quite a bit of detail on the varients available online, including
a pre-predicted list of 250 domains per day that variants A and B try to
phone home to -
http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx
As for variant C, it generates a list of 50,000 domains each day and
attempts to connect to 500 of those.
Full info on variant C can be found -
http://mtc.sri.com/Conficker/addendumC/index.html
---
One of the most devious things I've discovered in my quest to block
conficker for my users is the way the DNS system on conficker.c works,
dropping duplicated IP's (obvious spoofing from an ISP's side) or any
IP's from an internal blacklist -
http://mtc.sri.com/Conficker/addendumC/appendix2.html
---
Regards,
Andrew Cox
AccessPlus HNA
More information about the AusNOG
mailing list