I wanted to follow up our recent Conficker post from last Friday where we posted new pages to consolidate our information on Conficker for enterprises and consumers. We’ve also made the easy-to-remember URL www.microsoft.com/conficker available that will take you directly to the Conficker page for enterprises.
We’ve shared some additional information today with our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners. We believe that this information can be helpful for some of you as well, so we’re posting it here on the MSRC weblog as well.
We’ve seen that the Conficker worm will try every three hours to connect to specific domains over HTTP, a behavior sometimes referred to as “phoning home.” Conficker doesn’t carry a list of static domains, instead the domains that it connects to are generated by the malware through a specific algorithm. Because our Microsoft Malware Protection Center (MMPC) colleagues and others in the security community have successfully reverse-engineered this algorithm we can share what we’ve learned from that with you and others in the industry more broadly.
Most importantly, understanding this behavior and the algorithm gives us (and you) some additional options in combating Conficker.
First, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyze those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.
Second, you can also use this information that to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.
To help make it easier to use this domain information, we’ve gone ahead and made a list of domains available in a zipped text file available at the bottom of this post.
The text file is a list of domains that a system infected with Worm:Win32/Conficker.A or Worm:Win32/Conficker.B may try to contact. It is a list of comma-separated values (CSV) and lists out the specific Conficker variant that will try to use that domain, the date it will attempt to contact the domain, an arbitrary index number, and finally the domain itself.
As an example, here is an excerpt from the list of domains that Conficker may try to contact today, Feb. 12, 2009:
Variant, Date, Index, Hostname
A, 02/12/2009, 0, puxqy.net
A, 02/12/2009, 1, elvyodjjtao.net
A, 02/12/2009, 2, ltxbshpv.net
A, 02/12/2009, 3, ykjzaluthux.net
A, 02/12/2009, 4, lpiishmjlb.net
A, 02/12/2009, 5, arpsyp.com
A, 02/12/2009, 6, txkjngucnth.org
A, 02/12/2009, 7, vhslzulwn.org
A, 02/12/2009, 8, jcqavkkhg.net
A, 02/12/2009, 9, dmszsyfp.info
. . .
B, 02/12/2009, 0, tvxwoajfwad.info
B, 02/12/2009, 1, blojvbcbrwx.biz
B, 02/12/2009, 2, wimmugmq.biz
B, 02/12/2009, 3, fwnvlja.org
B, 02/12/2009, 4, umgrzaybbf.ws
B, 02/12/2009, 5, btgoyr.cc
B, 02/12/2009, 6, zboycplmkhc.cc
B, 02/12/2009, 7, qsqzphbn.biz
B, 02/12/2009, 8, xqdvmavs.cn
B, 02/12/2009, 9, wgrrrr.biz
So, if you have logging that includes the domain names being resolved externally, you can scan those logs for entries with these domain names in them.
Additionally, you can also look for log entries that match the following patterns. An example of entry from a system infected by Worm:Win32/Conficker.A where the domain ykjzaluthux.net resolves to 192.168.1.34 might look like:
and an example of entry from a system infected by Worm:Win32/Conficker.B where the domain qsqzphbn.biz resolves to 192.168.1.35 might look like:
We hope you find this information helpful.
*This posting is provided “AS IS” with no warranties, and confers no rights*
Updated 3/2/2009 to clarify how the domain list can be used to scan logs and the format for log entries for infected systems