Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on January 14, 2009, 11:51:44 am

Title: Conficker/Downadup news
Post by: SysAdMini on January 14, 2009, 11:51:44 am
Worm Description
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
http://blogs.msdn.com/rockyh/archive/2009/01/14/conficker-removal-with-msrt.aspx
http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

How Big is Downadup? Very Big.
http://www.f-secure.com/weblog/archives/00001579.html

Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/00001578.html

Downadup Blocklist, Jan. 9
http://www.f-secure.com/weblog/archives/00001577.html

Title: Re: Conficker/Downadup news
Post by: Tigger` on January 14, 2009, 03:50:47 pm
Thanks for the info. :)
Title: Re: Conficker/Downadup news
Post by: Serg on January 14, 2009, 05:59:55 pm
First enter was here http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/ (http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/).
Grown number infected computers here http://www.dshield.org/port.html?port=445 (http://www.dshield.org/port.html?port=445)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 14, 2009, 06:18:40 pm
Based on F-Secure's latest blocklist I have checked all domains. I haven't found any domains where
I could a payload from.

Here is a list of resolvable domains.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 15, 2009, 12:36:13 am
if someone finds a sample of the Conficker worm please post it on site so i can get a sample soon as posible

Please don't post malware samples in public boards. You can contact me by PM for a sample.
Title: Re: Conficker/Downadup news
Post by: chopsforever on January 16, 2009, 09:26:41 pm
Has anyone been able to determine whether or not the algorithm produces a finite number of domains?  Anyone seen any in-depth analysis?
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 16, 2009, 11:31:16 pm
Calculating the Size of the Downadup Outbreak
http://www.f-secure.com/weblog/archives/00001584.html

Today's calculation is a total of 8,976,038 infections worldwide and 353,495 unique IP addresses.

Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 17, 2009, 11:12:23 am
Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 21, 2009, 03:46:34 pm
The Mess that is WORM_DOWNAD
http://blog.trendmicro.com/the-mess-that-is-worm_downad/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 23, 2009, 06:45:49 pm
Some of the conficker domains mentioned in f-secure's latest blacklist

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

resolve to the same ip addresses like latest Asprox domains.

Code: [Select]
fmhxqutvccr.org
fmkopswuzhj.biz
fnygfr.com
fuougcdv.org
fvwugekf.info
fwkbt.info
gbrpn.org
gbxpxugx.org
ghtileh.biz
gnyluuxneo.com

Asprox news (http://www.dynamoo.com/blog/labels/Asprox.html)

Latest Asprox domain at MDL (http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=asprox&colsearch=All&ascordesc=DESC&quantity=50&page=0)

/EDIT

I am not the only one who discovered that.

http://www.matchent.com/wpress/?q=node/434
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 27, 2009, 10:45:11 am
Attempts at Smart Network Scanning
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/233

Peer-to-Peer Payload Distribution
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227

Small Improvements Yield Big Returns
https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717#A230

A Lock with No Key
https://forums.symantec.com/t5/Malicious-Code/Downadup-A-Lock-with-No-Key/ba-p/381306#A229

Geo-location, Fingerprinting, and Piracy
https://forums.symantec.com/t5/Malicious-Code/Downadup-Geo-location-Fingerprinting-and-Piracy/ba-p/380993#A228

Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 27, 2009, 02:28:56 pm
Kidokiller - removal tool from Kaspersky
http://data2.kaspersky-labs.com:8080/special/KidoKiller.zip
Title: Re: Conficker/Downadup news
Post by: aaudi on January 28, 2009, 04:46:14 am
Additional description with screenshots

Conficker.B
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852

Conficker.A
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 30, 2009, 07:46:28 pm
Downadup.B/Conflicker.B IP generation and domain name predictor tool
http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html

Quote
You can use it to predict the list of domain names that the worm will contact on a given date. Downadup.B uses a completely different algorithm for selecting IPs to attack with MS08-067. Fortunately, you can also use this tool to mimic the random IP address generation algorithm to predict which IPs the worm will attempt to attack.


Memory Injection Model
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 31, 2009, 01:04:51 pm
F-Secures' Preemptive Downadup Blocklist for February
http://www.f-secure.com/weblog/archives/00001593.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 01, 2009, 06:47:31 pm
There is one thing which has not mentioned in all the reports about Downadup.

Downadup doesn't use domain names in HTTP requests. It does a DNS lookup first
and then uses the IP address for the request.

This makes blacklisting of domain names on a proxy server completely useless.
I made this experience myself.

Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 09, 2009, 07:46:10 am
Some tricks from Conficker's bag
http://isc.sans.org/diary.html?storyid=5830
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 12:55:59 am
Kaspersky, OpenDNS Collaborate to Slow Conficker Worm
http://www.pcworld.com/businesscenter/article/159165/kaspersky_opendns_collaborate_to_slow_conficker_worm.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 01:12:50 am
Downadup: Playing with Universal Plug and Play
https://forums.symantec.com/t5/Malicious-Code/Downadup-Playing-with-Universal-Plug-and-Play/ba-p/383244#A234
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 08:24:28 pm
More tricks from Conficker and VM detection
http://isc.sans.org/diary.html?storyid=5842
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 12, 2009, 05:11:38 pm
Coalition Formed in Response to W32.Downadup
https://forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129
Title: Re: Conficker/Downadup news
Post by: Serg on February 12, 2009, 09:03:50 pm
Microsoft offers $250,000 reward for Conficker arrest and conviction.
http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases (http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases)
 PS. Sorry for my stupid paint brush ::)
(http://img140.imageshack.us/img140/6324/wantedbyslevin28tr4.jpg)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 08:47:41 am
PS. Sorry for my stupid paint brush ::)

Nice.  ;D
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 09:24:40 am
Conficker links by isc.sans.org
http://isc.sans.org/diary.html?storyid=5860
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 04:16:22 pm
An Analysis of Conficker's Logic and Rendezvous Points
http://mtc.sri.com/Conficker/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 18, 2009, 07:41:40 pm
Downadup: Locking Itself Out
https://forums.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 19, 2009, 08:37:34 pm
Making Conficker Cough Up the Goods
http://vrt-sourcefire.blogspot.com/2009/02/making-conficker-cough-up-goods.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 23, 2009, 10:23:46 pm
Downadup—Advanced Crypto Protection
https://forums.symantec.com/t5/Malicious-Code/Downadup-Advanced-Crypto-Protection/ba-p/391311
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 01, 2009, 12:59:14 pm
Conficker Collateral Damage for March 2009
http://www.sophos.com/security/blog/2009/03/3457.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 02, 2009, 07:17:58 am
Downadup/Conficker/Kido Infection-traffic analysis
http://annysoft.wordpress.com/2009/02/01/downadupconfickerkido-infection-traffic-analysis/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 07, 2009, 12:56:25 am
W32.Downadup.C Digs in Deeper
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249
Title: Re: Conficker/Downadup news
Post by: Serg on March 07, 2009, 08:37:09 pm
Conficker gets upgraded with defenses
http://www.theregister.co.uk/2009/03/07/conficker_upgrade/ (http://www.theregister.co.uk/2009/03/07/conficker_upgrade/)
Quote
The new component ups the ante by increasing the number of domains to 50,000 per day.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 13, 2009, 04:58:54 pm
The Downadup Codex
Quote
How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:

https://forums2.symantec.com/t5/Malicious-Code/The-Downadup-Codex/ba-p/393279

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf
Title: Re: Conficker/Downadup news
Post by: Serg on March 18, 2009, 11:27:33 am
from 4 march we see big decrease of kido activity on 445 port http://www.dshield.org/port.html?port=445 (http://www.dshield.org/port.html?port=445). There was suspicion that some of kido cnc server is online and out of coalition block http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases (http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases). We've checked and rechecked. Some of infected pc are updated. So that's true. Now we have 25!!! samples of new kido based malware. Good news - update is not a worm. Bad news - update has p2p crypto protocol. Symantec already write some thing about that https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245 (https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245) but that main point of this post is "The coalition doesn't work!!!". ...Crap... Idiots...

PS. New kido in ida
Code: [Select]
UPX0:10003D29                 cmp     [esp+1BCh+SystemTime.wYear], 2009
UPX0:10003D30                 ja      short loc_10003D46
UPX0:10003D32                 jnz     short loc_10003D5C
UPX0:10003D34                 cmp     [esp+1BCh+SystemTime.wMonth], 4
UPX0:10003D3A                 ja      short loc_10003D46
UPX0:10003D3C                 jnz     short loc_10003D5C
UPX0:10003D3E                 cmp     [esp+1BCh+SystemTime.wDay], 1
UPX0:10003D44                 jb      short loc_10003D5C
we have two weeks to make a solution...
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 20, 2009, 06:43:22 am
Conficker.C Analysis
http://mtc.sri.com/Conficker/addendumC/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 20, 2009, 09:19:26 pm
W32.Downadup.C Bolsters P2P
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 22, 2009, 04:17:51 pm
Conficker Removal Tools urls
http://isc.sans.org/diary.html?storyid=5860
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 30, 2009, 02:31:17 pm
Detecting Conficker
http://honeynet.org/node/388
Title: Re: Conficker/Downadup news
Post by: sowhat-x on March 30, 2009, 03:15:23 pm
Containing Conficker
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Linked from Honeypot.org above...that's really cool work there...
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 30, 2009, 04:09:59 pm
Detecting Conficker
http://honeynet.org/node/388

Win32 version of the tool. No need to install python ... manually.

http://www.bsk-consulting.de/download/scs-win.zip
Title: Re: Conficker/Downadup news
Post by: sowhat-x on March 31, 2009, 05:30:27 pm
Conficker Working Group Wiki
http://confickerworkinggroup.net/wiki/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 01, 2009, 05:56:50 am
Restore Access to Blocked Sites on Conficked Systems
http://countermeasures.trendmicro.eu/restore-access-to-blocked-sites-on-conficked-systems/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 02, 2009, 07:52:28 am
Conficker World Maps
http://www.f-secure.com/weblog/archives/00001646.html
Title: Re: Conficker/Downadup news
Post by: sowhat-x on April 02, 2009, 09:59:41 pm
The art of unpacking Conficker worm
http://blog.fortinet.com/the-art-of-unpacking-conficker-worm/
Title: Re: Conficker/Downadup news
Post by: sowhat-x on April 02, 2009, 10:47:37 pm
Both Nmap and Nessus have been updated in the meanwhile in order to avoid false positives...
http://nmap.org/changelog.html
http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 03, 2009, 07:20:59 pm
Conficker.C : de peer en peer
https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 04, 2009, 06:05:52 pm
Downad.KK/Conficker.C p2p Port Generation Code Exposed
http://blog.trendmicro.com/downadkkconfickerc-p2p-port-generation-code-exposed/
Title: Re: Conficker/Downadup news
Post by: B_H on April 04, 2009, 11:12:18 pm
how to detect infected machine conficker in your lan ,

listen ! and listen ! to incoming traffic !
Quote
sudo ngrep -qd eth0 -W single -s 900 -X 0xe8ffffffffc15e8d4e108031c441668139455075f5aec69da04f85ea4f84c84f84d84fc44f9ccc497258c4c4c42cedc4c4c494263c4f38923bd3574702c32cdcc4c4c4f71696964f08a203c5bcea953bb3c096969592963bf33b24699592514f8ff84f88cfbcc70ff73249d077c795e44fd6c717f7040504c3f6c68644fec4b131ff01b0c282ffb5dcb61b4f95e0c717cb73d0b64f85d8c7074fc054c7079a9d07a4664eb2e244680cb1b6a8a9abaac45de7991dacb0b0b4feebeb 'tcp port 445 and dst net 127.0.0.0/8'

credit : til- nep channel
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 05, 2009, 05:09:34 pm
Open Source Conficker-C Scanner/Detector Released
http://isc.sans.org/diary.html?storyid=6130
http://mtc.sri.com/Conficker/contrib/scanner.html
Title: Re: Conficker/Downadup news
Post by: Mr Clean on April 06, 2009, 02:28:13 pm
Interesting

Code: [Select]
http://www.threatexpert.com/report.aspx?md5=c9e0917fe3231a652c014ad76b55b26a


all point to 1 IP apparently owned by Amazon

http://whois.domaintools.com/174.129.221.183

Code: [Select]
tvhutv.vn -> 174.129.221.183    #       SEATTLE UNITED STATES
mvicdbhk.com.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
vdfv.hu -> 174.129.221.183      #       SEATTLE UNITED STATES
decv.sk -> 174.129.221.183      #       SEATTLE UNITED STATES
oqgb.ro -> 174.129.221.183      #       SEATTLE UNITED STATES
mhwjxfewr.sc -> 174.129.221.183 #       SEATTLE UNITED STATES
yahoo.co.jp -> 124.83.139.192   #       TOKYO   JAPAN
fbmot.tn -> 174.129.221.183     #       SEATTLE UNITED STATES
uasfilwu.sg -> 174.129.221.183  #       SEATTLE UNITED STATES
jpjzx.ca -> 174.129.221.183     #       SEATTLE UNITED STATES
tdexti.com.fj -> 174.129.221.183        #       SEATTLE UNITED STATES
xuiw.com.sv -> 174.129.221.183  #       SEATTLE UNITED STATES
spxd.nf -> 174.129.221.183      #       SEATTLE UNITED STATES
56.com -> dmfppp.us -> 174.129.221.183  #       SEATTLE UNITED STATES
daatcj.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
iyer.ir -> 174.129.221.183      #       SEATTLE UNITED STATES
ekkmwqn.co.cr -> 174.129.221.183        #       SEATTLE UNITED STATES
zfid.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
jfmvnq.com.tt -> 174.129.221.183        #       SEATTLE UNITED STATES
reference.com -> 66.235.120.98  #       OAKLAND UNITED STATES
rubvridu.us -> 174.129.221.183  #       SEATTLE UNITED STATES
lzwd.pk -> 174.129.221.183      #       SEATTLE UNITED STATES
edvpwgiwy.la -> 174.129.221.183 #       SEATTLE UNITED STATES
jfci.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
lgagqpt.mn -> 174.129.221.183   #       SEATTLE UNITED STATES
xdbg.pl -> 174.129.221.183      #       SEATTLE UNITED STATES
csljrbnt.tc -> 174.129.221.183  #       SEATTLE UNITED STATES
cctidh.com.py -> 174.129.221.183        #       SEATTLE UNITED STATES
ttyo.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
cweuark.co.il -> 174.129.221.183        #       SEATTLE UNITED STATES
mmwoimz.ec -> 174.129.221.183   #       SEATTLE UNITED STATES
zjtsibqh.com.ki -> 174.129.221.183      #       SEATTLE UNITED STATES
nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183        #       SEATTLE UNITED STATES
smwivxf.com.br -> 174.129.221.183       #       SEATTLE UNITED STATES
wngug.co.za -> 174.129.221.183  #       SEATTLE UNITED STATES
jhfkufw.com.do -> 174.129.221.183       #       SEATTLE UNITED STATES
webbp.com.sv -> 174.129.221.183 #       SEATTLE UNITED STATES
eqmekqgs.com.tr -> 174.129.221.183      #       SEATTLE UNITED STATES
iemve.ps -> 174.129.221.183     #       SEATTLE UNITED STATES
kvjely.nf -> 174.129.221.183    #       SEATTLE UNITED STATES
wgli.cd -> 174.129.221.183      #       SEATTLE UNITED STATES
tnmlyo.tj -> 174.129.221.183    #       SEATTLE UNITED STATES
buzbmkzmo.ch -> 174.129.221.183 #       SEATTLE UNITED STATES
jvfcqbnzu.tj -> 174.129.221.183 #       SEATTLE UNITED STATES
lpgkarye.ae -> 174.129.221.183  #       SEATTLE UNITED STATES
ykthopqxt.ms -> 174.129.221.183 #       SEATTLE UNITED STATES
tvhutv.vn -> 174.129.221.183    #       SEATTLE UNITED STATES
mvicdbhk.com.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
vdfv.hu -> 174.129.221.183      #       SEATTLE UNITED STATES
decv.sk -> 174.129.221.183      #       SEATTLE UNITED STATES
oqgb.ro -> 174.129.221.183      #       SEATTLE UNITED STATES
mhwjxfewr.sc -> 174.129.221.183 #       SEATTLE UNITED STATES
yahoo.co.jp -> 124.83.139.192   #       TOKYO   JAPAN
fbmot.tn -> 174.129.221.183     #       SEATTLE UNITED STATES
uasfilwu.sg -> 174.129.221.183  #       SEATTLE UNITED STATES
jpjzx.ca -> 174.129.221.183     #       SEATTLE UNITED STATES
tdexti.com.fj -> 174.129.221.183        #       SEATTLE UNITED STATES
xuiw.com.sv -> 174.129.221.183  #       SEATTLE UNITED STATES
spxd.nf -> 174.129.221.183      #       SEATTLE UNITED STATES
56.com -> dmfppp.us -> 174.129.221.183  #       SEATTLE UNITED STATES
daatcj.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
iyer.ir -> 174.129.221.183      #       SEATTLE UNITED STATES
ekkmwqn.co.cr -> 174.129.221.183        #       SEATTLE UNITED STATES
zfid.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
jfmvnq.com.tt -> 174.129.221.183        #       SEATTLE UNITED STATES
reference.com -> 66.235.120.98  #       OAKLAND UNITED STATES
rubvridu.us -> 174.129.221.183  #       SEATTLE UNITED STATES
lzwd.pk -> 174.129.221.183      #       SEATTLE UNITED STATES
edvpwgiwy.la -> 174.129.221.183 #       SEATTLE UNITED STATES
jfci.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
lgagqpt.mn -> 174.129.221.183   #       SEATTLE UNITED STATES
xdbg.pl -> 174.129.221.183      #       SEATTLE UNITED STATES
csljrbnt.tc -> 174.129.221.183  #       SEATTLE UNITED STATES
cctidh.com.py -> 174.129.221.183        #       SEATTLE UNITED STATES
ttyo.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
cweuark.co.il -> 174.129.221.183        #       SEATTLE UNITED STATES
mmwoimz.ec -> 174.129.221.183   #       SEATTLE UNITED STATES
zjtsibqh.com.ki -> 174.129.221.183      #       SEATTLE UNITED STATES
nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183        #       SEATTLE UNITED STATES
smwivxf.com.br -> 174.129.221.183       #       SEATTLE UNITED STATES
wngug.co.za -> 174.129.221.183  #       SEATTLE UNITED STATES
jhfkufw.com.do -> 174.129.221.183       #       SEATTLE UNITED STATES
webbp.com.sv -> 174.129.221.183 #       SEATTLE UNITED STATES
eqmekqgs.com.tr -> 174.129.221.183      #       SEATTLE UNITED STATES
iemve.ps -> 174.129.221.183     #       SEATTLE UNITED STATES
kvjely.nf -> 174.129.221.183    #       SEATTLE UNITED STATES
wgli.cd -> 174.129.221.183      #       SEATTLE UNITED STATES
tnmlyo.tj -> 174.129.221.183    #       SEATTLE UNITED STATES
buzbmkzmo.ch -> 174.129.221.183 #       SEATTLE UNITED STATES
jvfcqbnzu.tj -> 174.129.221.183 #       SEATTLE UNITED STATES
lpgkarye.ae -> 174.129.221.183  #       SEATTLE UNITED STATES
ykthopqxt.ms -> 174.129.221.183 #       SEATTLE UNITED STATES
pftiafcrt.cz -> 174.129.221.183 #       SEATTLE UNITED STATES
pymyhw.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
tjcpvfrr.bo -> 174.129.221.183  #       SEATTLE UNITED STATES
ztbcizu.dk -> 174.129.221.183   #       SEATTLE UNITED STATES
huwzc.md -> 174.129.221.183     #       SEATTLE UNITED STATES
ejkmddffz.am -> 174.129.221.183 #       SEATTLE UNITED STATES
ygov.com.do -> 174.129.221.183  #       SEATTLE UNITED STATES
jwcms.pl -> 174.129.221.183     #       SEATTLE UNITED STATES
atfjti.com.ar -> 174.129.221.183        #       SEATTLE UNITED STATES
ucoz.ru -> 217.199.217.3        #       MOSCOW  RUSSIAN FEDERATION
vrbwtchr.be -> 174.129.221.183  #       SEATTLE UNITED STATES
ibjzzitap.ca -> 174.129.221.183 #       SEATTLE UNITED STATES
tmoy.tl -> 174.129.221.183      #       SEATTLE UNITED STATES
gznvyxgup.com.sv -> 174.129.221.183     #       SEATTLE UNITED STATES
nvsnzsjby.com.br -> 174.129.221.183     #       SEATTLE UNITED STATES
feuvutif.co.cr -> 174.129.221.183       #       SEATTLE UNITED STATES
sourceforge.net -> 216.34.181.60        #       MOUNTAIN VIEW   UNITED STATES
zwgvhhrjs.be -> 174.129.221.183 #       SEATTLE UNITED STATES
mnkdwmyxd.kn -> 174.129.221.183 #       SEATTLE UNITED STATES
mqxankae.ps -> 174.129.221.183  #       SEATTLE UNITED STATES
uuunflq.com.ua -> 174.129.221.183       #       SEATTLE UNITED STATES
irrn.com.py -> 174.129.221.183  #       SEATTLE UNITED STATES
sfxho.to -> 174.129.221.183     #       SEATTLE UNITED STATES
live.com -> 207.46.30.34        #       NEW YORK        UNITED STATES
knvphpwyy.com.lc -> 174.129.221.183     #       SEATTLE UNITED STATES
qmhyhrdc.pe -> 174.129.221.183  #       SEATTLE UNITED STATES
ppsred.com.co -> 174.129.221.183        #       SEATTLE UNITED STATES
hffscoah.at -> 174.129.221.183  #       SEATTLE UNITED STATES
mqimqouqi.co.ke -> 174.129.221.183      #       SEATTLE UNITED STATES
gptlnxx.com.tt -> 174.129.221.183       #       SEATTLE UNITED STATES
ddfxjmxkh.gr -> 174.129.221.183 #       SEATTLE UNITED STATES
wgjj.com.pa -> 174.129.221.183  #       SEATTLE UNITED STATES
zyyjr.com.mt -> 174.129.221.183 #       SEATTLE UNITED STATES
kckysnu.com.sv -> 174.129.221.183       #       SEATTLE UNITED STATES
acllntys.com.ng -> 174.129.221.183      #       SEATTLE UNITED STATES
xzvtb.com.pe -> 174.129.221.183 #       SEATTLE UNITED STATES
dvmh.com.ve -> 174.129.221.183  #       SEATTLE UNITED STATES
ummw.com.jm -> 174.129.221.183  #       SEATTLE UNITED STATES
hlproyaiw.mn -> 174.129.221.183 #       SEATTLE UNITED STATES
pquswnz.ps -> 174.129.221.183   #       SEATTLE UNITED STATES
inygavmo.gy -> 174.129.221.183  #       SEATTLE UNITED STATES
hefrzxeku.ag -> 174.129.221.183 #       SEATTLE UNITED STATES
xusxr.im -> 174.129.221.183     #       SEATTLE UNITED STATES
mytlpa.my -> 174.129.221.183    #       SEATTLE UNITED STATES
vflhi.com.ar -> 174.129.221.183 #       SEATTLE UNITED STATES
kcgerutd.bo -> 174.129.221.183  #       SEATTLE UNITED STATES
whvfa.com.tw -> 174.129.221.183 #       SEATTLE UNITED STATES
lxkmuw.kz -> 174.129.221.183    #       SEATTLE UNITED STATES
clicksor.com -> 66.48.81.155    #       RICHMOND HILL   CANADA
uepsfff.tn -> 174.129.221.183   #       SEATTLE UNITED STATES
ewve.ly -> 174.129.221.183      #       SEATTLE UNITED STATES
zcqj.com.gt -> 174.129.221.183  #       SEATTLE UNITED STATES
luefbr.ca -> 174.129.221.183    #       SEATTLE UNITED STATES
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 07, 2009, 06:16:45 am
Birthday Problem and Conficker
http://blogs.technet.com/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 08, 2009, 08:32:54 pm
Conficker + Waledac ?
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Waledac/ba-p/393454

http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 06:22:09 am
Conficker worm might originate in China
http://news.cnet.com/8301-1009_3-10206754-83.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 06:30:17 am
New Downad/Conficker variant spreading over P2P
http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=P
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 08:40:27 pm
W32.Downadup.E—Back to Basics
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 14, 2009, 07:47:36 pm
Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html
Title: Re: Conficker/Downadup news
Post by: Serg on April 14, 2009, 08:34:33 pm
Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html
if there is price for kido writer from microsoft, then there should be price for Dancho Danchev from kido dev team  :)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 15, 2009, 06:13:16 am
The DOWNAD/Conficker Jigsaw Puzzle
http://blog.trendmicro.com/the-downadconficker-jigsaw-puzzle/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 21, 2009, 08:10:10 pm
Connecting The Dots: Downadup/Conficker Variants
https://forums2.symantec.com/t5/Malicious-Code/Connecting-The-Dots-Downadup-Conficker-Variants/ba-p/393517
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 22, 2009, 04:17:26 pm
W32.Downadup P2P Scanner Script for Nmap
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 27, 2009, 02:46:50 pm
Conficker analysis from extraexploit.blogspot.com
http://extraexploit.blogspot.com/

Author has sent me this link and wants feedback.
Title: Re: Conficker/Downadup news
Post by: Serg on April 28, 2009, 09:23:13 pm
"how to make conficker for dummies"©
Title: Re: Conficker/Downadup news
Post by: SysAdMini on June 02, 2009, 06:20:41 pm
The Downadup Codex, Edition 2.0.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf
Title: Re: Conficker/Downadup news
Post by: SysAdMini on September 23, 2009, 05:48:28 am
Conficker C P2P Protocol and Implementation
http://mtc.sri.com/Conficker/P2P/