Author Topic: Conficker/Downadup news (Read 42978 times)

SysAdMini · January 14, 2009, 11:51:44 am

Worm Description
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
http://blogs.msdn.com/rockyh/archive/2009/01/14/conficker-removal-with-msrt.aspx
http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

How Big is Downadup? Very Big.
http://www.f-secure.com/weblog/archives/00001579.html

Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/00001578.html

Downadup Blocklist, Jan. 9
http://www.f-secure.com/weblog/archives/00001577.html

Tigger` · January 14, 2009, 03:50:47 pm

Thanks for the info.

Serg · January 14, 2009, 05:59:55 pm

First enter was here http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/.
Grown number infected computers here http://www.dshield.org/port.html?port=445

SysAdMini · January 14, 2009, 06:18:40 pm

Based on F-Secure's latest blocklist I have checked all domains. I haven't found any domains where
I could a payload from.

Here is a list of resolvable domains.

SysAdMini · January 15, 2009, 12:36:13 am

Quote from: julevine on January 14, 2009, 11:54:51 pm

if someone finds a sample of the Conficker worm please post it on site so i can get a sample soon as posible

Please don't post malware samples in public boards. You can contact me by PM for a sample.

chopsforever · January 16, 2009, 09:26:41 pm

Has anyone been able to determine whether or not the algorithm produces a finite number of domains? Anyone seen any in-depth analysis?

SysAdMini · January 16, 2009, 11:31:16 pm

Calculating the Size of the Downadup Outbreak
http://www.f-secure.com/weblog/archives/00001584.html

Today's calculation is a total of 8,976,038 infections worldwide and 353,495 unique IP addresses.

SysAdMini · January 17, 2009, 11:12:23 am

Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

SysAdMini · January 21, 2009, 03:46:34 pm

The Mess that is WORM_DOWNAD
http://blog.trendmicro.com/the-mess-that-is-worm_downad/

SysAdMini · January 23, 2009, 06:45:49 pm

Some of the conficker domains mentioned in f-secure's latest blacklist

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

resolve to the same ip addresses like latest Asprox domains.

Code: [Select]

fmhxqutvccr.org
fmkopswuzhj.biz
fnygfr.com
fuougcdv.org
fvwugekf.info
fwkbt.info
gbrpn.org
gbxpxugx.org
ghtileh.biz
gnyluuxneo.com

Asprox news

Latest Asprox domain at MDL

/EDIT

I am not the only one who discovered that.

http://www.matchent.com/wpress/?q=node/434

SysAdMini · January 27, 2009, 10:45:11 am

Attempts at Smart Network Scanning
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/233

Peer-to-Peer Payload Distribution
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227

Small Improvements Yield Big Returns
https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717#A230

A Lock with No Key
https://forums.symantec.com/t5/Malicious-Code/Downadup-A-Lock-with-No-Key/ba-p/381306#A229

Geo-location, Fingerprinting, and Piracy
https://forums.symantec.com/t5/Malicious-Code/Downadup-Geo-location-Fingerprinting-and-Piracy/ba-p/380993#A228

SysAdMini · January 27, 2009, 02:28:56 pm

Kidokiller - removal tool from Kaspersky
http://data2.kaspersky-labs.com:8080/special/KidoKiller.zip

aaudi · January 28, 2009, 04:46:14 am

Additional description with screenshots

Conficker.B
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852

Conficker.A
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911

SysAdMini · January 30, 2009, 07:46:28 pm

Downadup.B/Conflicker.B IP generation and domain name predictor tool
http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html

Quote

You can use it to predict the list of domain names that the worm will contact on a given date. Downadup.B uses a completely different algorithm for selecting IPs to attack with MS08-067. Fortunately, you can also use this tool to mimic the random IP address generation algorithm to predict which IPs the worm will attempt to attack.

Memory Injection Model
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html

SysAdMini · January 31, 2009, 01:04:51 pm

F-Secures' Preemptive Downadup Blocklist for February
http://www.f-secure.com/weblog/archives/00001593.html

Author Topic: Conficker/Downadup news (Read 42978 times)

SysAdMini

Conficker/Downadup news

Tigger`

Re: Conficker/Downadup news

Serg

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

chopsforever

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

aaudi

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news

SysAdMini

Re: Conficker/Downadup news