Conficker/Downadup news

[SysAdMini]

Conficker.C : de peer en peer
https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer

[SysAdMini]

Downad.KK/Conficker.C p2p Port Generation Code Exposed
http://blog.trendmicro.com/downadkkconfickerc-p2p-port-generation-code-exposed/

[B_H]

how to detect infected machine conficker in your lan ,

listen ! and listen ! to incoming traffic !

sudo ngrep -qd eth0 -W single -s 900 -X 0xe8ffffffffc15e8d4e108031c441668139455075f5aec69da04f85ea4f84c84f84d84fc44f9ccc497258c4c4c42cedc4c4c494263c4f38923bd3574702c32cdcc4c4c4f71696964f08a203c5bcea953bb3c096969592963bf33b24699592514f8ff84f88cfbcc70ff73249d077c795e44fd6c717f7040504c3f6c68644fec4b131ff01b0c282ffb5dcb61b4f95e0c717cb73d0b64f85d8c7074fc054c7079a9d07a4664eb2e244680cb1b6a8a9abaac45de7991dacb0b0b4feebeb 'tcp port 445 and dst net 127.0.0.0/8'

credit : til- nep channel

[SysAdMini]

Open Source Conficker-C Scanner/Detector Released
http://isc.sans.org/diary.html?storyid=6130
http://mtc.sri.com/Conficker/contrib/scanner.html

[Mr Clean]

Interesting

Code: [Select]

http://www.threatexpert.com/report.aspx?md5=c9e0917fe3231a652c014ad76b55b26a


all point to 1 IP apparently owned by Amazon

http://whois.domaintools.com/174.129.221.183

Code: [Select]

tvhutv.vn -> 174.129.221.183    #       SEATTLE UNITED STATES
mvicdbhk.com.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
vdfv.hu -> 174.129.221.183      #       SEATTLE UNITED STATES
decv.sk -> 174.129.221.183      #       SEATTLE UNITED STATES
oqgb.ro -> 174.129.221.183      #       SEATTLE UNITED STATES
mhwjxfewr.sc -> 174.129.221.183 #       SEATTLE UNITED STATES
yahoo.co.jp -> 124.83.139.192   #       TOKYO   JAPAN
fbmot.tn -> 174.129.221.183     #       SEATTLE UNITED STATES
uasfilwu.sg -> 174.129.221.183  #       SEATTLE UNITED STATES
jpjzx.ca -> 174.129.221.183     #       SEATTLE UNITED STATES
tdexti.com.fj -> 174.129.221.183        #       SEATTLE UNITED STATES
xuiw.com.sv -> 174.129.221.183  #       SEATTLE UNITED STATES
spxd.nf -> 174.129.221.183      #       SEATTLE UNITED STATES
56.com -> dmfppp.us -> 174.129.221.183  #       SEATTLE UNITED STATES
daatcj.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
iyer.ir -> 174.129.221.183      #       SEATTLE UNITED STATES
ekkmwqn.co.cr -> 174.129.221.183        #       SEATTLE UNITED STATES
zfid.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
jfmvnq.com.tt -> 174.129.221.183        #       SEATTLE UNITED STATES
reference.com -> 66.235.120.98  #       OAKLAND UNITED STATES
rubvridu.us -> 174.129.221.183  #       SEATTLE UNITED STATES
lzwd.pk -> 174.129.221.183      #       SEATTLE UNITED STATES
edvpwgiwy.la -> 174.129.221.183 #       SEATTLE UNITED STATES
jfci.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
lgagqpt.mn -> 174.129.221.183   #       SEATTLE UNITED STATES
xdbg.pl -> 174.129.221.183      #       SEATTLE UNITED STATES
csljrbnt.tc -> 174.129.221.183  #       SEATTLE UNITED STATES
cctidh.com.py -> 174.129.221.183        #       SEATTLE UNITED STATES
ttyo.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
cweuark.co.il -> 174.129.221.183        #       SEATTLE UNITED STATES
mmwoimz.ec -> 174.129.221.183   #       SEATTLE UNITED STATES
zjtsibqh.com.ki -> 174.129.221.183      #       SEATTLE UNITED STATES
nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183        #       SEATTLE UNITED STATES
smwivxf.com.br -> 174.129.221.183       #       SEATTLE UNITED STATES
wngug.co.za -> 174.129.221.183  #       SEATTLE UNITED STATES
jhfkufw.com.do -> 174.129.221.183       #       SEATTLE UNITED STATES
webbp.com.sv -> 174.129.221.183 #       SEATTLE UNITED STATES
eqmekqgs.com.tr -> 174.129.221.183      #       SEATTLE UNITED STATES
iemve.ps -> 174.129.221.183     #       SEATTLE UNITED STATES
kvjely.nf -> 174.129.221.183    #       SEATTLE UNITED STATES
wgli.cd -> 174.129.221.183      #       SEATTLE UNITED STATES
tnmlyo.tj -> 174.129.221.183    #       SEATTLE UNITED STATES
buzbmkzmo.ch -> 174.129.221.183 #       SEATTLE UNITED STATES
jvfcqbnzu.tj -> 174.129.221.183 #       SEATTLE UNITED STATES
lpgkarye.ae -> 174.129.221.183  #       SEATTLE UNITED STATES
ykthopqxt.ms -> 174.129.221.183 #       SEATTLE UNITED STATES
tvhutv.vn -> 174.129.221.183    #       SEATTLE UNITED STATES
mvicdbhk.com.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
vdfv.hu -> 174.129.221.183      #       SEATTLE UNITED STATES
decv.sk -> 174.129.221.183      #       SEATTLE UNITED STATES
oqgb.ro -> 174.129.221.183      #       SEATTLE UNITED STATES
mhwjxfewr.sc -> 174.129.221.183 #       SEATTLE UNITED STATES
yahoo.co.jp -> 124.83.139.192   #       TOKYO   JAPAN
fbmot.tn -> 174.129.221.183     #       SEATTLE UNITED STATES
uasfilwu.sg -> 174.129.221.183  #       SEATTLE UNITED STATES
jpjzx.ca -> 174.129.221.183     #       SEATTLE UNITED STATES
tdexti.com.fj -> 174.129.221.183        #       SEATTLE UNITED STATES
xuiw.com.sv -> 174.129.221.183  #       SEATTLE UNITED STATES
spxd.nf -> 174.129.221.183      #       SEATTLE UNITED STATES
56.com -> dmfppp.us -> 174.129.221.183  #       SEATTLE UNITED STATES
daatcj.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
iyer.ir -> 174.129.221.183      #       SEATTLE UNITED STATES
ekkmwqn.co.cr -> 174.129.221.183        #       SEATTLE UNITED STATES
zfid.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
jfmvnq.com.tt -> 174.129.221.183        #       SEATTLE UNITED STATES
reference.com -> 66.235.120.98  #       OAKLAND UNITED STATES
rubvridu.us -> 174.129.221.183  #       SEATTLE UNITED STATES
lzwd.pk -> 174.129.221.183      #       SEATTLE UNITED STATES
edvpwgiwy.la -> 174.129.221.183 #       SEATTLE UNITED STATES
jfci.pe -> 174.129.221.183      #       SEATTLE UNITED STATES
lgagqpt.mn -> 174.129.221.183   #       SEATTLE UNITED STATES
xdbg.pl -> 174.129.221.183      #       SEATTLE UNITED STATES
csljrbnt.tc -> 174.129.221.183  #       SEATTLE UNITED STATES
cctidh.com.py -> 174.129.221.183        #       SEATTLE UNITED STATES
ttyo.com.ni -> 174.129.221.183  #       SEATTLE UNITED STATES
cweuark.co.il -> 174.129.221.183        #       SEATTLE UNITED STATES
mmwoimz.ec -> 174.129.221.183   #       SEATTLE UNITED STATES
zjtsibqh.com.ki -> 174.129.221.183      #       SEATTLE UNITED STATES
nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183        #       SEATTLE UNITED STATES
smwivxf.com.br -> 174.129.221.183       #       SEATTLE UNITED STATES
wngug.co.za -> 174.129.221.183  #       SEATTLE UNITED STATES
jhfkufw.com.do -> 174.129.221.183       #       SEATTLE UNITED STATES
webbp.com.sv -> 174.129.221.183 #       SEATTLE UNITED STATES
eqmekqgs.com.tr -> 174.129.221.183      #       SEATTLE UNITED STATES
iemve.ps -> 174.129.221.183     #       SEATTLE UNITED STATES
kvjely.nf -> 174.129.221.183    #       SEATTLE UNITED STATES
wgli.cd -> 174.129.221.183      #       SEATTLE UNITED STATES
tnmlyo.tj -> 174.129.221.183    #       SEATTLE UNITED STATES
buzbmkzmo.ch -> 174.129.221.183 #       SEATTLE UNITED STATES
jvfcqbnzu.tj -> 174.129.221.183 #       SEATTLE UNITED STATES
lpgkarye.ae -> 174.129.221.183  #       SEATTLE UNITED STATES
ykthopqxt.ms -> 174.129.221.183 #       SEATTLE UNITED STATES
pftiafcrt.cz -> 174.129.221.183 #       SEATTLE UNITED STATES
pymyhw.co.za -> 174.129.221.183 #       SEATTLE UNITED STATES
tjcpvfrr.bo -> 174.129.221.183  #       SEATTLE UNITED STATES
ztbcizu.dk -> 174.129.221.183   #       SEATTLE UNITED STATES
huwzc.md -> 174.129.221.183     #       SEATTLE UNITED STATES
ejkmddffz.am -> 174.129.221.183 #       SEATTLE UNITED STATES
ygov.com.do -> 174.129.221.183  #       SEATTLE UNITED STATES
jwcms.pl -> 174.129.221.183     #       SEATTLE UNITED STATES
atfjti.com.ar -> 174.129.221.183        #       SEATTLE UNITED STATES
ucoz.ru -> 217.199.217.3        #       MOSCOW  RUSSIAN FEDERATION
vrbwtchr.be -> 174.129.221.183  #       SEATTLE UNITED STATES
ibjzzitap.ca -> 174.129.221.183 #       SEATTLE UNITED STATES
tmoy.tl -> 174.129.221.183      #       SEATTLE UNITED STATES
gznvyxgup.com.sv -> 174.129.221.183     #       SEATTLE UNITED STATES
nvsnzsjby.com.br -> 174.129.221.183     #       SEATTLE UNITED STATES
feuvutif.co.cr -> 174.129.221.183       #       SEATTLE UNITED STATES
sourceforge.net -> 216.34.181.60        #       MOUNTAIN VIEW   UNITED STATES
zwgvhhrjs.be -> 174.129.221.183 #       SEATTLE UNITED STATES
mnkdwmyxd.kn -> 174.129.221.183 #       SEATTLE UNITED STATES
mqxankae.ps -> 174.129.221.183  #       SEATTLE UNITED STATES
uuunflq.com.ua -> 174.129.221.183       #       SEATTLE UNITED STATES
irrn.com.py -> 174.129.221.183  #       SEATTLE UNITED STATES
sfxho.to -> 174.129.221.183     #       SEATTLE UNITED STATES
live.com -> 207.46.30.34        #       NEW YORK        UNITED STATES
knvphpwyy.com.lc -> 174.129.221.183     #       SEATTLE UNITED STATES
qmhyhrdc.pe -> 174.129.221.183  #       SEATTLE UNITED STATES
ppsred.com.co -> 174.129.221.183        #       SEATTLE UNITED STATES
hffscoah.at -> 174.129.221.183  #       SEATTLE UNITED STATES
mqimqouqi.co.ke -> 174.129.221.183      #       SEATTLE UNITED STATES
gptlnxx.com.tt -> 174.129.221.183       #       SEATTLE UNITED STATES
ddfxjmxkh.gr -> 174.129.221.183 #       SEATTLE UNITED STATES
wgjj.com.pa -> 174.129.221.183  #       SEATTLE UNITED STATES
zyyjr.com.mt -> 174.129.221.183 #       SEATTLE UNITED STATES
kckysnu.com.sv -> 174.129.221.183       #       SEATTLE UNITED STATES
acllntys.com.ng -> 174.129.221.183      #       SEATTLE UNITED STATES
xzvtb.com.pe -> 174.129.221.183 #       SEATTLE UNITED STATES
dvmh.com.ve -> 174.129.221.183  #       SEATTLE UNITED STATES
ummw.com.jm -> 174.129.221.183  #       SEATTLE UNITED STATES
hlproyaiw.mn -> 174.129.221.183 #       SEATTLE UNITED STATES
pquswnz.ps -> 174.129.221.183   #       SEATTLE UNITED STATES
inygavmo.gy -> 174.129.221.183  #       SEATTLE UNITED STATES
hefrzxeku.ag -> 174.129.221.183 #       SEATTLE UNITED STATES
xusxr.im -> 174.129.221.183     #       SEATTLE UNITED STATES
mytlpa.my -> 174.129.221.183    #       SEATTLE UNITED STATES
vflhi.com.ar -> 174.129.221.183 #       SEATTLE UNITED STATES
kcgerutd.bo -> 174.129.221.183  #       SEATTLE UNITED STATES
whvfa.com.tw -> 174.129.221.183 #       SEATTLE UNITED STATES
lxkmuw.kz -> 174.129.221.183    #       SEATTLE UNITED STATES
clicksor.com -> 66.48.81.155    #       RICHMOND HILL   CANADA
uepsfff.tn -> 174.129.221.183   #       SEATTLE UNITED STATES
ewve.ly -> 174.129.221.183      #       SEATTLE UNITED STATES
zcqj.com.gt -> 174.129.221.183  #       SEATTLE UNITED STATES
luefbr.ca -> 174.129.221.183    #       SEATTLE UNITED STATES


[SysAdMini]

Birthday Problem and Conficker
http://blogs.technet.com/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx

[SysAdMini]

Conficker + Waledac ?
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Waledac/ba-p/393454

http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/

[SysAdMini]

Conficker worm might originate in China
http://news.cnet.com/8301-1009_3-10206754-83.html

[SysAdMini]

New Downad/Conficker variant spreading over P2P
http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=P

[SysAdMini]

W32.Downadup.E—Back to Basics
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465

[SysAdMini]

Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html

[Serg]

Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html

if there is price for kido writer from microsoft, then there should be price for Dancho Danchev from kido dev team 

[SysAdMini]

The DOWNAD/Conficker Jigsaw Puzzle
http://blog.trendmicro.com/the-downadconficker-jigsaw-puzzle/

[SysAdMini]

Connecting The Dots: Downadup/Conficker Variants
https://forums2.symantec.com/t5/Malicious-Code/Connecting-The-Dots-Downadup-Conficker-Variants/ba-p/393517

[SysAdMini]

W32.Downadup P2P Scanner Script for Nmap
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519