EDIT 4/27/09: THIS NO LONGER WORKS WITH NEW VARIANTS OF CONFICKER HOWEVER THE CONCEPT IS STILL SOUND IF YOU ARE LOOKING FOR SYSTEMS THAT ARE QUERYING FOR SPECIFIC DNS NAMES.
I’ve already created one post on finding malware systems using eventcomb however when it comes to Conficker or Downadup and realistically other malware too all that method can really show you are clients that have decided to finally put a Domain Controller on their hitlist. One of the things we know about Conficker is that it utilizes a method to based on date to generate a url that it will connect to in order to report in to its evil overlords as well as to possibly see if there is some new update/commands available to it. The guys over at F-secure have put up a list of domains that the malware would possibly use for the month of February at http://www.f-secure.com/weblog/archives/00001593.html . Now if you have a proxy server or some type of firewall server that can do blocking or redirecting based on host names this is great. Not all customers have this though so we figured we would try to put something together that would work for most of our normal Windows customers :).
Basically what I did was utilize the dnscmd command to work with MS DNS to create new zones as well as wildcard records for each domain that may be possibly used. The download for the .cmd files you can get here:
If you know anything about MS DNS you realize this is going to look pretty darn messy 🙂 we are talking about 7k new zones in your DNS server so I would either recommend putting this on a new box and forwarding all your DNS to this before going to the internet or not opening your DNS gui to look at zones that often after you add these :). The first script blocklistfebzoneadd.cmd will create all the zones. If you just want to block connections for these zones for February you can stop there… But no that’s wussing out we want to ERADICATE this thing!!! The next script is blocklistfebrecordadd.cmd you will want to edit this doing a find/replace and change 192.168.1.100 for a new IP address for a new IIS server in your environment. The beauty of this is that for this month everytime you have a Conficker / Downadup client try to connect to their control server they will instead connect to your new IIS setup. You just need to keep checking your IIS logs for that website you setup and cleaning those client IP addresses up.
Once the month of February is over you can use the 3rd script blocklistfebzonedelete.cmd which will go through and reverse the effects of this by deleting all of the zones we created. Hopefully this should be pretty simple but if you have any questions just let me know.
Happy malware hunting.