Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on January 14, 2009, 11:51:44 am

Title: Conficker/Downadup news
Post by: SysAdMini on January 14, 2009, 11:51:44 am: Worm Description
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
http://blogs.msdn.com/rockyh/archive/2009/01/14/conficker-removal-with-msrt.aspx
http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool

How Big is Downadup? Very Big.
http://www.f-secure.com/weblog/archives/00001579.html

Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/00001578.html

Downadup Blocklist, Jan. 9
http://www.f-secure.com/weblog/archives/00001577.html
Title: Re: Conficker/Downadup news
Post by: Tigger` on January 14, 2009, 03:50:47 pm: Thanks for the info. :)
Title: Re: Conficker/Downadup news
Post by: Serg on January 14, 2009, 05:59:55 pm: First enter was here http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/ (http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/).
Grown number infected computers here http://www.dshield.org/port.html?port=445 (http://www.dshield.org/port.html?port=445)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 14, 2009, 06:18:40 pm: Based on F-Secure's latest blocklist I have checked all domains. I haven't found any domains where
I could a payload from.

Here is a list of resolvable domains.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 15, 2009, 12:36:13 am: Quote from: julevine on January 14, 2009, 11:54:51 pm
if someone finds a sample of the Conficker worm please post it on site so i can get a sample soon as posible

Please don't post malware samples in public boards. You can contact me by PM for a sample.
Title: Re: Conficker/Downadup news
Post by: chopsforever on January 16, 2009, 09:26:41 pm: Has anyone been able to determine whether or not the algorithm produces a finite number of domains? Anyone seen any in-depth analysis?
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 16, 2009, 11:31:16 pm: Calculating the Size of the Downadup Outbreak
http://www.f-secure.com/weblog/archives/00001584.html

Today's calculation is a total of 8,976,038 infections worldwide and 353,495 unique IP addresses.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 17, 2009, 11:12:23 am: Preemptive Downadup Domain Blocklist, Jan. 13-16
http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 21, 2009, 03:46:34 pm: The Mess that is WORM_DOWNAD
http://blog.trendmicro.com/the-mess-that-is-worm_downad/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 23, 2009, 06:45:49 pm: Some of the conficker domains mentioned in f-secure's latest blacklist

http://www.f-secure.com/weblog/archives/downadup_domain_blocklist_17_31.txt

resolve to the same ip addresses like latest Asprox domains.

Code: [Select]
fmhxqutvccr.org fmkopswuzhj.biz fnygfr.com fuougcdv.org fvwugekf.info fwkbt.info gbrpn.org gbxpxugx.org ghtileh.biz gnyluuxneo.com
Asprox news (http://www.dynamoo.com/blog/labels/Asprox.html)

Latest Asprox domain at MDL (http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=asprox&colsearch=All&ascordesc=DESC&quantity=50&page=0)

/EDIT

I am not the only one who discovered that.

http://www.matchent.com/wpress/?q=node/434
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 27, 2009, 10:45:11 am: Attempts at Smart Network Scanning
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/233

Peer-to-Peer Payload Distribution
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227

Small Improvements Yield Big Returns
https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717#A230

A Lock with No Key
https://forums.symantec.com/t5/Malicious-Code/Downadup-A-Lock-with-No-Key/ba-p/381306#A229

Geo-location, Fingerprinting, and Piracy
https://forums.symantec.com/t5/Malicious-Code/Downadup-Geo-location-Fingerprinting-and-Piracy/ba-p/380993#A228
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 27, 2009, 02:28:56 pm: Kidokiller - removal tool from Kaspersky
http://data2.kaspersky-labs.com:8080/special/KidoKiller.zip
Title: Re: Conficker/Downadup news
Post by: aaudi on January 28, 2009, 04:46:14 am: Additional description with screenshots

Conficker.B
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852

Conficker.A
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 30, 2009, 07:46:28 pm: Downadup.B/Conflicker.B IP generation and domain name predictor tool
http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html

Quote
You can use it to predict the list of domain names that the worm will contact on a given date. Downadup.B uses a completely different algorithm for selecting IPs to attack with MS08-067. Fortunately, you can also use this tool to mimic the random IP address generation algorithm to predict which IPs the worm will attempt to attack.

Memory Injection Model
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on January 31, 2009, 01:04:51 pm: F-Secures' Preemptive Downadup Blocklist for February
http://www.f-secure.com/weblog/archives/00001593.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 01, 2009, 06:47:31 pm: There is one thing which has not mentioned in all the reports about Downadup.

Downadup doesn't use domain names in HTTP requests. It does a DNS lookup first
and then uses the IP address for the request.

This makes blacklisting of domain names on a proxy server completely useless.
I made this experience myself.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 09, 2009, 07:46:10 am: Some tricks from Conficker's bag
http://isc.sans.org/diary.html?storyid=5830
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 12:55:59 am: Kaspersky, OpenDNS Collaborate to Slow Conficker Worm
http://www.pcworld.com/businesscenter/article/159165/kaspersky_opendns_collaborate_to_slow_conficker_worm.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 01:12:50 am: Downadup: Playing with Universal Plug and Play
https://forums.symantec.com/t5/Malicious-Code/Downadup-Playing-with-Universal-Plug-and-Play/ba-p/383244#A234
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 10, 2009, 08:24:28 pm: More tricks from Conficker and VM detection
http://isc.sans.org/diary.html?storyid=5842
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 12, 2009, 05:11:38 pm: Coalition Formed in Response to W32.Downadup
https://forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129
Title: Re: Conficker/Downadup news
Post by: Serg on February 12, 2009, 09:03:50 pm: Microsoft offers $250,000 reward for Conficker arrest and conviction.
http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases (http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases)
PS. Sorry for my stupid paint brush ::)
(http://img140.imageshack.us/img140/6324/wantedbyslevin28tr4.jpg)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 08:47:41 am: Quote from: Serg on February 12, 2009, 09:03:50 pm
PS. Sorry for my stupid paint brush ::)

Nice. ;D
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 09:24:40 am: Conficker links by isc.sans.org
http://isc.sans.org/diary.html?storyid=5860
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 13, 2009, 04:16:22 pm: An Analysis of Conficker's Logic and Rendezvous Points
http://mtc.sri.com/Conficker/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 18, 2009, 07:41:40 pm: Downadup: Locking Itself Out
https://forums.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 19, 2009, 08:37:34 pm: Making Conficker Cough Up the Goods
http://vrt-sourcefire.blogspot.com/2009/02/making-conficker-cough-up-goods.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on February 23, 2009, 10:23:46 pm: Downadup—Advanced Crypto Protection
https://forums.symantec.com/t5/Malicious-Code/Downadup-Advanced-Crypto-Protection/ba-p/391311
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 01, 2009, 12:59:14 pm: Conficker Collateral Damage for March 2009
http://www.sophos.com/security/blog/2009/03/3457.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 02, 2009, 07:17:58 am: Downadup/Conficker/Kido Infection-traffic analysis
http://annysoft.wordpress.com/2009/02/01/downadupconfickerkido-infection-traffic-analysis/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 07, 2009, 12:56:25 am: W32.Downadup.C Digs in Deeper
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249
Title: Re: Conficker/Downadup news
Post by: Serg on March 07, 2009, 08:37:09 pm: Conficker gets upgraded with defenses
http://www.theregister.co.uk/2009/03/07/conficker_upgrade/ (http://www.theregister.co.uk/2009/03/07/conficker_upgrade/)
Quote
The new component ups the ante by increasing the number of domains to 50,000 per day.
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 13, 2009, 04:58:54 pm: The Downadup Codex
Quote
How do you summarize the functionality of a threat like Downadup? It sounds like the sort of challenge taken up only by folks that can solve a Rubik’s Cube in 30 seconds or less. If someone asked me do so in a sentence, here’s how I’d do it:

https://forums2.symantec.com/t5/Malicious-Code/The-Downadup-Codex/ba-p/393279

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed1.pdf
Title: Re: Conficker/Downadup news
Post by: Serg on March 18, 2009, 11:27:33 am: from 4 march we see big decrease of kido activity on 445 port http://www.dshield.org/port.html?port=445 (http://www.dshield.org/port.html?port=445). There was suspicion that some of kido cnc server is online and out of coalition block http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases (http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx?rss_fdn=Press%20Releases). We've checked and rechecked. Some of infected pc are updated. So that's true. Now we have 25!!! samples of new kido based malware. Good news - update is not a worm. Bad news - update has p2p crypto protocol. Symantec already write some thing about that https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245 (https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245) but that main point of this post is "The coalition doesn't work!!!". ...Crap... Idiots...

PS. New kido in ida
Code: [Select]
UPX0:10003D29 cmp [esp+1BCh+SystemTime.wYear], 2009 UPX0:10003D30 ja short loc_10003D46 UPX0:10003D32 jnz short loc_10003D5C UPX0:10003D34 cmp [esp+1BCh+SystemTime.wMonth], 4 UPX0:10003D3A ja short loc_10003D46 UPX0:10003D3C jnz short loc_10003D5C UPX0:10003D3E cmp [esp+1BCh+SystemTime.wDay], 1 UPX0:10003D44 jb short loc_10003D5Cwe have two weeks to make a solution...
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 20, 2009, 06:43:22 am: Conficker.C Analysis
http://mtc.sri.com/Conficker/addendumC/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 20, 2009, 09:19:26 pm: W32.Downadup.C Bolsters P2P
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 22, 2009, 04:17:51 pm: Conficker Removal Tools urls
http://isc.sans.org/diary.html?storyid=5860
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 30, 2009, 02:31:17 pm: Detecting Conficker
http://honeynet.org/node/388
Title: Re: Conficker/Downadup news
Post by: sowhat-x on March 30, 2009, 03:15:23 pm: Containing Conficker
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Linked from Honeypot.org above...that's really cool work there...
Title: Re: Conficker/Downadup news
Post by: SysAdMini on March 30, 2009, 04:09:59 pm: Quote from: SysAdMini on March 30, 2009, 02:31:17 pm
Detecting Conficker
http://honeynet.org/node/388

Win32 version of the tool. No need to install python ... manually.

http://www.bsk-consulting.de/download/scs-win.zip
Title: Re: Conficker/Downadup news
Post by: sowhat-x on March 31, 2009, 05:30:27 pm: Conficker Working Group Wiki
http://confickerworkinggroup.net/wiki/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 01, 2009, 05:56:50 am: Restore Access to Blocked Sites on Conficked Systems
http://countermeasures.trendmicro.eu/restore-access-to-blocked-sites-on-conficked-systems/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 02, 2009, 07:52:28 am: Conficker World Maps
http://www.f-secure.com/weblog/archives/00001646.html
Title: Re: Conficker/Downadup news
Post by: sowhat-x on April 02, 2009, 09:59:41 pm: The art of unpacking Conficker worm
http://blog.fortinet.com/the-art-of-unpacking-conficker-worm/
Title: Re: Conficker/Downadup news
Post by: sowhat-x on April 02, 2009, 10:47:37 pm: Both Nmap and Nessus have been updated in the meanwhile in order to avoid false positives...
http://nmap.org/changelog.html
http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 03, 2009, 07:20:59 pm: Conficker.C : de peer en peer
https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 04, 2009, 06:05:52 pm: Downad.KK/Conficker.C p2p Port Generation Code Exposed
http://blog.trendmicro.com/downadkkconfickerc-p2p-port-generation-code-exposed/
Title: Re: Conficker/Downadup news
Post by: B_H on April 04, 2009, 11:12:18 pm: how to detect infected machine conficker in your lan ,

listen ! and listen ! to incoming traffic !
Quote
sudo ngrep -qd eth0 -W single -s 900 -X 0xe8ffffffffc15e8d4e108031c441668139455075f5aec69da04f85ea4f84c84f84d84fc44f9ccc497258c4c4c42cedc4c4c494263c4f38923bd3574702c32cdcc4c4c4f71696964f08a203c5bcea953bb3c096969592963bf33b24699592514f8ff84f88cfbcc70ff73249d077c795e44fd6c717f7040504c3f6c68644fec4b131ff01b0c282ffb5dcb61b4f95e0c717cb73d0b64f85d8c7074fc054c7079a9d07a4664eb2e244680cb1b6a8a9abaac45de7991dacb0b0b4feebeb 'tcp port 445 and dst net 127.0.0.0/8'

credit : til- nep channel
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 05, 2009, 05:09:34 pm: Open Source Conficker-C Scanner/Detector Released
http://isc.sans.org/diary.html?storyid=6130
http://mtc.sri.com/Conficker/contrib/scanner.html
Title: Re: Conficker/Downadup news
Post by: Mr Clean on April 06, 2009, 02:28:13 pm: Interesting

Code: [Select]
http://www.threatexpert.com/report.aspx?md5=c9e0917fe3231a652c014ad76b55b26a

all point to 1 IP apparently owned by Amazon

http://whois.domaintools.com/174.129.221.183

Code: [Select]
tvhutv.vn -> 174.129.221.183 # SEATTLE UNITED STATES mvicdbhk.com.pe -> 174.129.221.183 # SEATTLE UNITED STATES vdfv.hu -> 174.129.221.183 # SEATTLE UNITED STATES decv.sk -> 174.129.221.183 # SEATTLE UNITED STATES oqgb.ro -> 174.129.221.183 # SEATTLE UNITED STATES mhwjxfewr.sc -> 174.129.221.183 # SEATTLE UNITED STATES yahoo.co.jp -> 124.83.139.192 # TOKYO JAPAN fbmot.tn -> 174.129.221.183 # SEATTLE UNITED STATES uasfilwu.sg -> 174.129.221.183 # SEATTLE UNITED STATES jpjzx.ca -> 174.129.221.183 # SEATTLE UNITED STATES tdexti.com.fj -> 174.129.221.183 # SEATTLE UNITED STATES xuiw.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES spxd.nf -> 174.129.221.183 # SEATTLE UNITED STATES 56.com -> dmfppp.us -> 174.129.221.183 # SEATTLE UNITED STATES daatcj.co.za -> 174.129.221.183 # SEATTLE UNITED STATES iyer.ir -> 174.129.221.183 # SEATTLE UNITED STATES ekkmwqn.co.cr -> 174.129.221.183 # SEATTLE UNITED STATES zfid.com.ni -> 174.129.221.183 # SEATTLE UNITED STATES jfmvnq.com.tt -> 174.129.221.183 # SEATTLE UNITED STATES reference.com -> 66.235.120.98 # OAKLAND UNITED STATES rubvridu.us -> 174.129.221.183 # SEATTLE UNITED STATES lzwd.pk -> 174.129.221.183 # SEATTLE UNITED STATES edvpwgiwy.la -> 174.129.221.183 # SEATTLE UNITED STATES jfci.pe -> 174.129.221.183 # SEATTLE UNITED STATES lgagqpt.mn -> 174.129.221.183 # SEATTLE UNITED STATES xdbg.pl -> 174.129.221.183 # SEATTLE UNITED STATES csljrbnt.tc -> 174.129.221.183 # SEATTLE UNITED STATES cctidh.com.py -> 174.129.221.183 # SEATTLE UNITED STATES ttyo.com.ni -> 174.129.221.183 # SEATTLE UNITED STATES cweuark.co.il -> 174.129.221.183 # SEATTLE UNITED STATES mmwoimz.ec -> 174.129.221.183 # SEATTLE UNITED STATES zjtsibqh.com.ki -> 174.129.221.183 # SEATTLE UNITED STATES nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183 # SEATTLE UNITED STATES smwivxf.com.br -> 174.129.221.183 # SEATTLE UNITED STATES wngug.co.za -> 174.129.221.183 # SEATTLE UNITED STATES jhfkufw.com.do -> 174.129.221.183 # SEATTLE UNITED STATES webbp.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES eqmekqgs.com.tr -> 174.129.221.183 # SEATTLE UNITED STATES iemve.ps -> 174.129.221.183 # SEATTLE UNITED STATES kvjely.nf -> 174.129.221.183 # SEATTLE UNITED STATES wgli.cd -> 174.129.221.183 # SEATTLE UNITED STATES tnmlyo.tj -> 174.129.221.183 # SEATTLE UNITED STATES buzbmkzmo.ch -> 174.129.221.183 # SEATTLE UNITED STATES jvfcqbnzu.tj -> 174.129.221.183 # SEATTLE UNITED STATES lpgkarye.ae -> 174.129.221.183 # SEATTLE UNITED STATES ykthopqxt.ms -> 174.129.221.183 # SEATTLE UNITED STATES tvhutv.vn -> 174.129.221.183 # SEATTLE UNITED STATES mvicdbhk.com.pe -> 174.129.221.183 # SEATTLE UNITED STATES vdfv.hu -> 174.129.221.183 # SEATTLE UNITED STATES decv.sk -> 174.129.221.183 # SEATTLE UNITED STATES oqgb.ro -> 174.129.221.183 # SEATTLE UNITED STATES mhwjxfewr.sc -> 174.129.221.183 # SEATTLE UNITED STATES yahoo.co.jp -> 124.83.139.192 # TOKYO JAPAN fbmot.tn -> 174.129.221.183 # SEATTLE UNITED STATES uasfilwu.sg -> 174.129.221.183 # SEATTLE UNITED STATES jpjzx.ca -> 174.129.221.183 # SEATTLE UNITED STATES tdexti.com.fj -> 174.129.221.183 # SEATTLE UNITED STATES xuiw.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES spxd.nf -> 174.129.221.183 # SEATTLE UNITED STATES 56.com -> dmfppp.us -> 174.129.221.183 # SEATTLE UNITED STATES daatcj.co.za -> 174.129.221.183 # SEATTLE UNITED STATES iyer.ir -> 174.129.221.183 # SEATTLE UNITED STATES ekkmwqn.co.cr -> 174.129.221.183 # SEATTLE UNITED STATES zfid.com.ni -> 174.129.221.183 # SEATTLE UNITED STATES jfmvnq.com.tt -> 174.129.221.183 # SEATTLE UNITED STATES reference.com -> 66.235.120.98 # OAKLAND UNITED STATES rubvridu.us -> 174.129.221.183 # SEATTLE UNITED STATES lzwd.pk -> 174.129.221.183 # SEATTLE UNITED STATES edvpwgiwy.la -> 174.129.221.183 # SEATTLE UNITED STATES jfci.pe -> 174.129.221.183 # SEATTLE UNITED STATES lgagqpt.mn -> 174.129.221.183 # SEATTLE UNITED STATES xdbg.pl -> 174.129.221.183 # SEATTLE UNITED STATES csljrbnt.tc -> 174.129.221.183 # SEATTLE UNITED STATES cctidh.com.py -> 174.129.221.183 # SEATTLE UNITED STATES ttyo.com.ni -> 174.129.221.183 # SEATTLE UNITED STATES cweuark.co.il -> 174.129.221.183 # SEATTLE UNITED STATES mmwoimz.ec -> 174.129.221.183 # SEATTLE UNITED STATES zjtsibqh.com.ki -> 174.129.221.183 # SEATTLE UNITED STATES nmysrae.com.gt -> ydkj.com.gt -> 174.129.221.183 # SEATTLE UNITED STATES smwivxf.com.br -> 174.129.221.183 # SEATTLE UNITED STATES wngug.co.za -> 174.129.221.183 # SEATTLE UNITED STATES jhfkufw.com.do -> 174.129.221.183 # SEATTLE UNITED STATES webbp.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES eqmekqgs.com.tr -> 174.129.221.183 # SEATTLE UNITED STATES iemve.ps -> 174.129.221.183 # SEATTLE UNITED STATES kvjely.nf -> 174.129.221.183 # SEATTLE UNITED STATES wgli.cd -> 174.129.221.183 # SEATTLE UNITED STATES tnmlyo.tj -> 174.129.221.183 # SEATTLE UNITED STATES buzbmkzmo.ch -> 174.129.221.183 # SEATTLE UNITED STATES jvfcqbnzu.tj -> 174.129.221.183 # SEATTLE UNITED STATES lpgkarye.ae -> 174.129.221.183 # SEATTLE UNITED STATES ykthopqxt.ms -> 174.129.221.183 # SEATTLE UNITED STATES pftiafcrt.cz -> 174.129.221.183 # SEATTLE UNITED STATES pymyhw.co.za -> 174.129.221.183 # SEATTLE UNITED STATES tjcpvfrr.bo -> 174.129.221.183 # SEATTLE UNITED STATES ztbcizu.dk -> 174.129.221.183 # SEATTLE UNITED STATES huwzc.md -> 174.129.221.183 # SEATTLE UNITED STATES ejkmddffz.am -> 174.129.221.183 # SEATTLE UNITED STATES ygov.com.do -> 174.129.221.183 # SEATTLE UNITED STATES jwcms.pl -> 174.129.221.183 # SEATTLE UNITED STATES atfjti.com.ar -> 174.129.221.183 # SEATTLE UNITED STATES ucoz.ru -> 217.199.217.3 # MOSCOW RUSSIAN FEDERATION vrbwtchr.be -> 174.129.221.183 # SEATTLE UNITED STATES ibjzzitap.ca -> 174.129.221.183 # SEATTLE UNITED STATES tmoy.tl -> 174.129.221.183 # SEATTLE UNITED STATES gznvyxgup.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES nvsnzsjby.com.br -> 174.129.221.183 # SEATTLE UNITED STATES feuvutif.co.cr -> 174.129.221.183 # SEATTLE UNITED STATES sourceforge.net -> 216.34.181.60 # MOUNTAIN VIEW UNITED STATES zwgvhhrjs.be -> 174.129.221.183 # SEATTLE UNITED STATES mnkdwmyxd.kn -> 174.129.221.183 # SEATTLE UNITED STATES mqxankae.ps -> 174.129.221.183 # SEATTLE UNITED STATES uuunflq.com.ua -> 174.129.221.183 # SEATTLE UNITED STATES irrn.com.py -> 174.129.221.183 # SEATTLE UNITED STATES sfxho.to -> 174.129.221.183 # SEATTLE UNITED STATES live.com -> 207.46.30.34 # NEW YORK UNITED STATES knvphpwyy.com.lc -> 174.129.221.183 # SEATTLE UNITED STATES qmhyhrdc.pe -> 174.129.221.183 # SEATTLE UNITED STATES ppsred.com.co -> 174.129.221.183 # SEATTLE UNITED STATES hffscoah.at -> 174.129.221.183 # SEATTLE UNITED STATES mqimqouqi.co.ke -> 174.129.221.183 # SEATTLE UNITED STATES gptlnxx.com.tt -> 174.129.221.183 # SEATTLE UNITED STATES ddfxjmxkh.gr -> 174.129.221.183 # SEATTLE UNITED STATES wgjj.com.pa -> 174.129.221.183 # SEATTLE UNITED STATES zyyjr.com.mt -> 174.129.221.183 # SEATTLE UNITED STATES kckysnu.com.sv -> 174.129.221.183 # SEATTLE UNITED STATES acllntys.com.ng -> 174.129.221.183 # SEATTLE UNITED STATES xzvtb.com.pe -> 174.129.221.183 # SEATTLE UNITED STATES dvmh.com.ve -> 174.129.221.183 # SEATTLE UNITED STATES ummw.com.jm -> 174.129.221.183 # SEATTLE UNITED STATES hlproyaiw.mn -> 174.129.221.183 # SEATTLE UNITED STATES pquswnz.ps -> 174.129.221.183 # SEATTLE UNITED STATES inygavmo.gy -> 174.129.221.183 # SEATTLE UNITED STATES hefrzxeku.ag -> 174.129.221.183 # SEATTLE UNITED STATES xusxr.im -> 174.129.221.183 # SEATTLE UNITED STATES mytlpa.my -> 174.129.221.183 # SEATTLE UNITED STATES vflhi.com.ar -> 174.129.221.183 # SEATTLE UNITED STATES kcgerutd.bo -> 174.129.221.183 # SEATTLE UNITED STATES whvfa.com.tw -> 174.129.221.183 # SEATTLE UNITED STATES lxkmuw.kz -> 174.129.221.183 # SEATTLE UNITED STATES clicksor.com -> 66.48.81.155 # RICHMOND HILL CANADA uepsfff.tn -> 174.129.221.183 # SEATTLE UNITED STATES ewve.ly -> 174.129.221.183 # SEATTLE UNITED STATES zcqj.com.gt -> 174.129.221.183 # SEATTLE UNITED STATES luefbr.ca -> 174.129.221.183 # SEATTLE UNITED STATES
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 07, 2009, 06:16:45 am: Birthday Problem and Conficker
http://blogs.technet.com/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 08, 2009, 08:32:54 pm: Conficker + Waledac ?
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Waledac/ba-p/393454

http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 06:22:09 am: Conficker worm might originate in China
http://news.cnet.com/8301-1009_3-10206754-83.html
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 06:30:17 am: New Downad/Conficker variant spreading over P2P
http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=P
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 09, 2009, 08:40:27 pm: W32.Downadup.E—Back to Basics
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-E-Back-to-Basics/ba-p/393465
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 14, 2009, 07:47:36 pm: Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html
Title: Re: Conficker/Downadup news
Post by: Serg on April 14, 2009, 08:34:33 pm: Quote from: SysAdMini on April 14, 2009, 07:47:36 pm
Conficker's Scareware/Fake Security Software Business Model
http://ddanchev.blogspot.com/2009/04/confickers-scarewarefake-security.html
if there is price for kido writer from microsoft, then there should be price for Dancho Danchev from kido dev team :)
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 15, 2009, 06:13:16 am: The DOWNAD/Conficker Jigsaw Puzzle
http://blog.trendmicro.com/the-downadconficker-jigsaw-puzzle/
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 21, 2009, 08:10:10 pm: Connecting The Dots: Downadup/Conficker Variants
https://forums2.symantec.com/t5/Malicious-Code/Connecting-The-Dots-Downadup-Conficker-Variants/ba-p/393517
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 22, 2009, 04:17:26 pm: W32.Downadup P2P Scanner Script for Nmap
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-P2P-Scanner-Script-for-Nmap/ba-p/393519
Title: Re: Conficker/Downadup news
Post by: SysAdMini on April 27, 2009, 02:46:50 pm: Conficker analysis from extraexploit.blogspot.com
http://extraexploit.blogspot.com/

Author has sent me this link and wants feedback.
Title: Re: Conficker/Downadup news
Post by: Serg on April 28, 2009, 09:23:13 pm: "how to make conficker for dummies"©
Title: Re: Conficker/Downadup news
Post by: SysAdMini on June 02, 2009, 06:20:41 pm: The Downadup Codex, Edition 2.0.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf
Title: Re: Conficker/Downadup news
Post by: SysAdMini on September 23, 2009, 05:48:28 am: Conficker C P2P Protocol and Implementation
http://mtc.sri.com/Conficker/P2P/